Archive for February 24th, 2015

Tip: Still using IGEL LX/OS Version 4.x.x and require SHA2 or Storefront support for Citrix ICA sessions?

Tuesday, February 24th, 2015

Hi Folks,

i know a couple of customers and users are waiting for this, so if you still have older IGEL UDx-x2x and UDx-x3x running IGEL LX Version 4.x.x or migrated 3rd Party devices (migrated with the Universal Desktop Converter Version 1) you can now use SHA2 certificates and Citrix Storefront with the latest Version 4.14.100.

Please be aware: Read the disclaimer coming with the new firmware release, it’s very important for devices coming with only a 512MB HDD/CF-Card! Also the “old” hidden failback switch (mentioned here) to select between different Citrix Receiver 12 Versions is obsolete with Firmware 4.14.100, you can now switch  between Citrix Receiver Version 12 and 13!

For the Storefront Setup you can use our Whitepaper here, only the local Client screens will look a little bit different regarding the GUI difference between Linux V4 and V5.


News from Superfish (aka Lenovogate)

Tuesday, February 24th, 2015

Hi Folks,

last week we posted two articles related to the Superfish Adware which came pre-installed with some Lenovo devices produced in the last Quarter of 2014. Superfish contains strong security concerns regarding the used SSL interception technology coming from an other Company calling Komodia.

It seams that this will now run into a or better several (i know already about two) class action lawsuit in the US against Lenovo, read also the article at PCWorld. I hope this will be a warning for other Hardware vendors pre-installing software without any sense or effective use for the user and without any real security verification.

Lenovo has already published a uninstall tool (Read also here), also some Virus remove tools like Avast or Microsoft Defender will remove it (or try to do it). In any way you should verify the local Computer Certificate Store to be sure… Also Lenovo released an open letter here.

There is also other Software available which uses the Komodia SSL interception technology incl. a Trojan, there is a really good article available at Facebook by Matt Richard(Facebook Securtiy Team) here and i recommend to read it if you have to do or are intrested with/in IT Security.

If you want to perform a check to verfiy that you’ve not any SSL interception software installed try out this site: Badfish check

You’re using Firefox and Chrome/Internet Explorer? Don’t forget to open the Website above with Firefox and also Chrome/Internet Explorer.



Release: IGEL Universal Desktop LX/OS Firmware 4.14.100

Tuesday, February 24th, 2015

IGEL Universal Desktop LX
Version 4.14.100
Release date 2015-02-23
Last update of this document 2015-02-23

Supported devices:
UD2-x31 LX, UD2-x30 LX, UD2-x21 LX, UD2-x20 LX
UD3-x40 LX, UD3-x31 LX, UD3-x30 LX, UD3-x21 LX, UD3-x20 LX
UD5-x40 LX, UD5-x30 LX, UD5-x20 LX
UD9-x31 LX, UD9-x30 LX
The online Release Notes can be found at
Registry Keys of parameters are listed there.

– 2X Client 12.0.0-2270
– Cisco VPN Client
– Citrix Access Gateway Standard Plug-in
– Citrix HDX Realtime Media Engine 1.6.0-6
– Citrix Receiver
– Citrix Receiver
– Client for RedHat Enterprise Virtualization Desktops 3
– Dell vWorkspace Connector for Linux 7.7.3
– Ericom PowerTerm
– Ericom Webconnect
– FabulaTech USB for Remote Desktop 5.0.4
– Firefox 17.0.11
– IBM iSeriesAccess 7.1.0-1.0
– IGEL Legacy RDP Client 1.0
– IGEL RDP Client 2.1
– Imprivata OneSign ProveID Embedded
– Leostream Java Connect
– NCP Secure Client (Enterprise) 3.25-rev15580-i686
– NX Client 4.2.27
– Oracle JRE 1.7.0_76
– SAP GUI java710rev6
– Thinlinc Client 4.3.0-4538
– ThinPrint Client 7.0.63
– Totem Media Player 2.30.2
– Virtual Bridges VERDE Client 7.1.1_rel.24005
– VMware Horizon client 3.2.0-2331566
– Voip Client Ekiga 3.2.7

– Driver for Grundig Business Systems dictation devices
– Driver for Olympus dictation devices
– Legacy Philips Speech Driver 5.0.10
– Philips Speech Driver 12.2.7

– PKCS#11 Library A.E.T SafeSign 3.0.3665
– PKCS#11 Library Gemalto IDPrime 1.1.0
– PKCS#11 Library SecMaker NetID
– Reader Driver ACS CCID 1.0.5
– Reader Driver HID Global Omnikey CCID
– Reader Driver MUSCLE CCID 1.4.13
– Reader Driver Omnikey CCID legacy-3.6.0
– Reader Driver Omnikey RFID legacy-2.7.2
– Reader Driver REINER SCT cyberJack 3.99.5final.SP03
– Reader Driver Safenet / Aladdin eToken 8.1.0-4
– Reader Driver SCM Microsystems CCID 5.0.27
– Resource Manager PC/SC Lite 1.8.9

System Components:
– Graphics Driver INTEL 2.17.0
– Graphics Driver VIA
– Graphics Driver VIA Legacy 4.1.83
– Xorg X11 Server 1.11.4
– Xorg Xephyr 1.7.6
This release contains Citrix Receiver versions 12 and 13.
The Citrix Receiver 12 is still available for compatibility reasons and
activated by default. Version 13 of the Citrix Receiver can be activated at
the local setup of the device or through a UMS profile configuration.
Only one version can be used.
Known issues:

[Dell vWorkspace Connector]
– Seamless applications exported from Win8/8.1 desktops show display errors when
dragged to the screen edges.
– At dual view configuration flash redirected windows can appear on wrong screen.
– After the start of a seamless session the window is initially maximized before being
resized to the correct size.
– Windows XP sessions might not work properly anymore.
– Only standard 105 keys PC keyboards are supported.
Not supported anymore: Trimodal, Sun Type 6 or IBM 122 keys.
– Mapping of drives to a dedicated drive letter is not possible anymore.
– If Com-port redirection is enabled all linux serial ports (/dev/ttySx) will be mapped.
– If printer mapping is enabled all printers configured in CUPS are mapped.
– For Multimedia Redirection sound redirection with WMV/WMA streams is not working.
– USB Redirection may not work reliable.
– Session starts only if RDP Local Logon Window
(IGEL Setup->Sessions->RDP->RDP Global->Local Logon) is active.

[VMware Horizon]
– Remote Applications are not seamless in the strict sense.
These are rather displayed in an extra window decorated by the TC’s window manager.
– If more applications defined and started in the same session, all are displayed inside this window.
The default size of this window can be defined in the Window section of the Horizon session.
– PCoIP user input language synchronization is currently broken.

– StepOver serversonet does not work with natureSign signature pad.

– Genucard versions 4 or greater currently cannot retrieve an IP adress.

– In mode “IGEL Smart Card without Locking Desktop”: when a Horizon session is running
and the smart card is removed , the Horizon desktop and application chooser window stays open.
– In mode “IGEL Smart Card without Locking Desktop”: when a RDP session is running
and the smart card is removed, a bogus warning window is shown.
– Running 2X sessions from IGEL Smart Card fails with error “server name missing”.
New features:

[Citrix Receiver 13]
– Integrated Citrix Receiver 13.1.2
– Added support for StoreFront
Hints (It is IMPORTANT to read this, if you plan to use Citrix Receiver 13
instead of 12 and/or want to connect to a Citrix StoreFront server):
– This firmware contains two Citrix Receivers, but only one of them can be
active at a time. Default is Citrix Receiver 12. The version can be
switched by the new parameter “Use Citrix Receiver version 13” in the
IGEL setup at “Sessions->Citrix->Citrix Receiver Selection”
– The new parameter “Citrix server type” on IGEL setup page
“Sessions->Citrix->Citrix StoreFront / Web Interface ->Server” defines the
capabilities of the Receiver
according to the used Citrix server versions (default is “Web Interface”).
– For Citrix StoreFront only access via https is supported. If the SSL certificate
of your Citrix server is not signed by a trusted certificate authority
(like Verigsign, Thawte etc.), you have to install the root certificate of your
own certificate authority on each Thin Client.
Please use to access the
document on how to install SSL certificate.
– Legacy ICA sessions only work with Citrix XenApp servers up to version 6.5.
– The parameter “Deferred update mode” has no effect anymore.
– Added support for SHA-2 based certificates.
– Kerberos is only supported with Legacy ICA Sessions and Web Interface,
not with StoreFront.
– To enable usage of Smartcard authentication it is necessary
to choose Smartcard logon on the redesigned setup page
Citrix > Citrix StoreFront / Web Interface > Logon
and to choose the correct smart card on page
Citrix > Citrix StoreFront / Web Interface > Logon > Smartcard.
Passthrough authentication with smart card is only possible with StoreFront.
– Added “CGP Address” parameter to support the session reliability feature on page:
Citrix > HDX / ICA Global > Options
(Please note that this parameter might be overwritten by the
Citrix server.)
– Added parameter “ica.wfclient.twiavoidfullscreenwhenmaximized” to enable
a bug fix from Citrix regarding maximization of windows in a multi-monitor
setup with different resolutions (default: Disabled).
– Added parameter “ica.wfclient.twisetfocusbeforerestore” to enable a
workaround from Citrix to set the focus on windows before restoring them
to avoid issues with Java applications.(default: Disabled)
– Added parameter “ica.wfclient.applysucconntimeouttodesktops” to let the
session sharing timout option “SucConnTimeout” be applied to desktops
as well (default: Disabled)
– Added registry parameter “ica.pnlogin.use_ctx_auth_mgmt”, that
enforces usage of the built-in authentication management of the
Citrix Receiver 13 instead of the IGEL mechanism. This disables credential
related features like passthrough, auto-logon etc.
– With Citrix Receiver 13 there is support for new graphics codec parameters:
– H264 deep compression codec registry keys:
* ica.wfclient.h264enabled (disabled by default)
* ica.wfclient.texttrackingenabled
* ica.wfclient.smallframesenabled
The H264 codec is only usable if the multimedia codec pack is installed.
Detailed description of the parameters are available at: and

Click to access linux-oem-guide-13-1.pdf

– JPEG codec registry keys:
* ica.wfclient.directdecode
* ica.wfclient.batchdecode (enabled by default)
Detailed description of the parameters are available at: and

Click to access linux-oem-guide-13-1.pdf

– Updated Philips Speech drivers to version 12.2.7
– New Grundig dictation driver: increased stability of audio channel.
Grundig SoundBox 820, DigtaSonic Mic I and ProMic 840 are not supported any more
– Updated driver for dictation with Olympus devices
– Added Citrix HDX RTME 1.6.0-6 used for Lync optimization.
– ICA sessions with Kerberos Passthrough: it is now possible to choose the Kerberos
implementation(s) which are used with Citrix via parameter
ica.module.virtualdriver.sspi.kerberosselection default: Heimdal,MIT
– Added parameter windowmanager.wm0.variables.igelicaallowminimize in the
registry to circumvent problems java-based windows over ICA with a popup
window. If set to false, ICA windows with a popup can not be minimized
– Added support to restrict Legacy ICA sessions with workarea window mode to
a single monitor at
“IGEL Setup->Sessions->Citrix-> Legacy ICA Sessions->[session name]->
Window->Start Monitor”.
The value “No Configuration” expands the windows over all monitors without
hiding the taskbar.
– Improved the synchronization of starting Citrix sessions to avoid opening
multiple ICA channels, if possible. For fine-tuning, it is possible to
configure the maximum waiting time till a session starts, regardless of
the status of a previous started session. The parameter is available in
the registry: “ica.pnlogin.app_start_max_delay” (default: 30)
– Added a mechanism to autostart published applications, configurable on
setup page Citrix > Citrix StoreFront / Web Interface > Logon.
The new synchronization mechanism mentioned above is applied for
autostarts as well.

– Integrated IGEL RDP Client 2:
– New workarea window mode
– New Audio-In support
– Improved RemoteApp support
– Fixes for drive mapping
– Without Gateway Support
– Without RDP 8 based RemoteFX support (EGFX)
– Without Video Optimized Redirection (EVOR)
– IGEL Legacy RDP Client 1.0 can be enabled at setup page:
IGEL Setup -> Sessions -> RDP -> RDP Global -> Options
– Updated Philips Speech drivers to version 12.2.7
– New Grundig dictation driver: increased stability of audio channel.
Grundig SoundBox 820, DigtaSonic Mic I and ProMic 840 are not supported any more
– Updated driver for dictation with Olympus devices

[VMware Horizon]
– Updated VMware Horizon Client to version 3.2.0-23315666
– Added support to start a specific application published by a Horizon 6 server.
In the IGEL Setup go to Sessions->Horizon Client->Horizon Client Sessions
choose a session or create one and specify under Connection Settings
the application name to start and set the session
type to “Application”. (the checkbox “Autoconnect” should also be enabled).
In the IGEL setup registry the new keys can be found in each view session:
– sessions.vdm_client%.options.appname
– sessions.vdm_client%.options.sessiontype (default: “Desktop”)
– RDP sessions are using the standard IGEL RDP Client 2 client now
instead of the legacy rdesktop variant.
– The Ctrl+Alt+Delete behavior (for PCoIP sessions) has three options now:
* show Horizon Client’s chooser dialog to either send the key combo to the
host/VM or disconnect from the session
* send Ctrl-Alt+Delete directly to the host/VM
* do nothing
The corrosponding key in the IGEL registry is found in:
– vmware.view.handle-ctrl-alt-del (default is “Show chooser”)
For sessions connected via Microsoft RDP the chooser dialog is the only option.
– Added switch for “Ctrl+Alt+Insert” redirection to VM.
Depending on server configuration either “Ctrl+Alt+Insert”,
“Ctrl+Alt+Delete” or no action can be triggered.
The registry key is located at “vmware.view.sendctrlaltinstovm” (default: Disabled)

[Dell vWorkspace Connector]
– Updated Dell vWorkspace Connector for Linux to version 7.7.3
– Added switch to enable bidirectional audio at
“IGEL Setup->Sessions-> RDP->RDP Global->Sound->Audio capture”
for global configuration, or session-specific at
“IGEL Setup->Sessions-> vWorkspace Client Sessions->[session name]->Mapping->Enable Microphone mapping”
– Added switch for font-smoothing at
“IGEL Setup->Sessions-> RDP->RDP Global->Performance->Enable Font smoothing”
for global configuration or session-specific at
“IGEL Setup->Sessions-> vWorkspace Client Sessions->[session name]->Performance->Enable font smoothing”.
– Added switch for vWorkspace connection bar at
“IGEL Setup->Sessions ->RDP->RDP Global->Enable Toolbar”
for global configuration, or session-specific at
“IGEL Setup->Sessions->vWorkspace Client Sessions-> [session name]->Window->Display the
connection bar when in full screen mode”.

– Updated NX Client to version 4.2.27:
New parameters:
– Connection service: sessions.nxclient<NR>.general.connection_service (Possible values: SSH, NX. Default: SSH)
– Logon method: sessions.nxclient<NR>.login.login_method (Possible values: Password, Private key. Default: password)

[2X Client]
– Updated 2X Client to version 12.0.0-2270
New parameters:
– TLS Authentication: sessions.twox<NR>.local_resources.windows_key_combinations Default: Disabled
– Network Level Authentication: sessions.twox<NR>.advanced.network_level_authentication Default: Enabled
– Pre-Windows 2000 Login Format: sessions.twox<NR>.advanced.oldwindows_login_format Default: Enabled
– Windows key combinations: sessions.twox<NR>.local_resources.windows_key_combinations Default: Local

[Shared Workplace]
– Shared workplace (SWP) now supports user display configurations
(including resolution, orientation, layout, refresh rates).

– Updated ThinLinc client to version 4.3.0-4538.
New parameters:
– Multi monitor option: sessions.thinlinc<NR>.config.full_screen_all_monitors (default: Enabled)
– Resize remote desktop session: sessions.thinlinc<NR>.config.remote_resize (default: Enabled)
– Send system keys: sessions.thinlinc<NR>.config.send_syskeys (default: Enabled)
– SmartCard redirection: sessions.thinlinc<NR>.config.smartcard_export_enabled (default: Disabled)
– Lockdown Local device tab: sessions.thinlinc<NR>.options.locklocaldevices (default: Enabled)
– Lockdown Security tab: sessions.thinlinc<NR>.options.locksecurity (default: Enabled)

[Leostream Java Connect]
– Updated Leostream Connect_Java Client to Version 3.0.57

– Changed VNC version to 0.9.13
– Added VNC secure mode, based on a SSL-encrypted VNC connection. The SSL
connection uses a special certificate located in the directory /wfs/ca-certs.
This feature requires the Universal Management Suite (UMS) to be involved,
to handle the shadowing permissions and double check whether the connection
is allowed or not. In addition the UMS is used to assure a secure credential
exchange between the TC and the UMS console.
IMPORTANT: The UMS must have the version 4.07.100 or higher!
The feature can be enabled in IGEL setup at “System->Shadow->Secure Mode”

– Upgraded HID Global Omnikey smart card reader driver to version
The following new readers are supported:
OMNIKEY CardMan (076B:0596) 2020
OMNIKEY CardMan (076B:3020) 3020
OMNIKEY CardMan (076B:3022) 3021
OMNIKEY CardMan (076B:3620) 3620
OMNIKEY CardMan (076B:7021) 3121
OMNIKEY CardMan (076B:3623) 3621
OMNIKEY CardMan (076B:3822) 3821
OMNIKEY CardMan (076B:3823) 3821
OMNIKEY CardMan (076B:5820) 4121 CL
OMNIKEY CardMan (076B:512D) 5025 PROX CL
OMNIKEY CardMan (076B:502A) 5025 PROX CL
OMNIKEY CardMan (076B:C001) 5121
OMNIKEY CardMan (076B:C100) 5121
OMNIKEY CardMan (076B:C101) 5121
OMNIKEY CardMan (076B:C104) 5125 CL
OMNIKEY CardMan (076B:C105) 5125
OMNIKEY CardMan (076B:5127) 5127 CK
OMNIKEY CardMan (076B:5220) 5220 Pay CL
OMNIKEY CardMan (076B:5221) 5221 Pay
OMNIKEY CardMan (076B:5311) 5321
OMNIKEY CardMan (076B:532B) 5321 Pay
OMNIKEY CardMan (076B:5340) 5021 CL
OMNIKEY CardMan (076B:A521) 5321
OMNIKEY CardMan (076B:5326) 5326 DFR
OMNIKEY CardMan (076B:5421) 5421
OMNIKEY CardMan (076B:1784) 6020
OMNIKEY CardMan (076B:6623) 6121
OMNIKEY CardMan (076B:6310) 6311 CL
OMNIKEY CardMan (076B:1BD0) 7120
OMNIKEY CardMan (076B:1BD1) 7121
OMNIKEY CardMan (076B:8630) 8630
OMNIKEY CardMan (076B:9621) 9621
CCID SC Reader (076B:A023)
CCID SC Reader (076B:A024)
CCID SC Reader (076B:A111) Keyboard
CCID SC Reader (076B:A112) Keyboard
CCID SC Reader (076B:A721)
CCID SC Reader (076B:B000) HID identiCLASS
CCID SC Reader (076B:B001) iCLASS Smart@Link
CCID SC Reader (076B:C000)
CCID SC Reader (076B:C200)
CCID SC Reader (076B:C300)
CCID SC Reader (0BF8:101B)
Fujitsu D321 (0BF8:1021)
Fujitsu G87 SC Contact Keyboard Cherry SmartTerminal XX44 (046A:007B)
Cherry SC Reader (046A:0090)
Cherry SC Reader (046A:0091)
Cherry SC Reader (046A:0092)
Cherry SC Reader (046A:00A3)

– Updated Softpro VirtualSerialSignpad driver to version

[USB Redirection]
– Upgraded Fabulatech USB for Remote Desktop up to 5.0.4

– Updated JRE to version 1.7.0 update 76

– Updated StepOver serversonet to version 0.7.16

– Added parameter for DHCP user class option (see RFC 3004): * network.dhcp.user_class The default value is
empty and means that the option is not used. Non-printable bytes can be specified as \ooo, where each o is
an octal digit, or \xhh, where each h is a hexadecimal digit. ‘\’ and ‘”‘ must be escaped by prepending ‘\’.
– Added parameters for DHCP client identifier options (see RFC 2132):
– network.interfaces.ethernet.device0.dhcp_client_id
– network.interfaces.ethernet.device1.dhcp_client_id
– network.interfaces.wirelesslan.device0.dhcp_client_id
Example values: \ (a FQDN with type byte 0 prepended),
\x01\x00\x11\x22\x33\x44\x55 (the MAC address 00:11:22:33:44:55 with type byte 1 prepended)

– Upgraded NCP Enterprise VPN client up to 3.25-rev15580

[base system]
– Active Directory/Kerberos Logon: it is now possible to specify the default lifetime
and renewal lifetime of Kerberos tickets with parameters auth.krb5.libdefaults.ticket_lifetime
and auth.krb5.libdefaults.renew_lifetime in setup registry.
The default values are 10 hours and 7 days respectively.
– New TC Setup 4.8.18:
Added a quick link bar on many setup pages to find and get to related
configuration pages directly. Increased the default size of the setup window
to retain the readability of the affected setup pages (only when the setup
is started for the first time).
– Updated Chinese, Dutch, French and German userinterface translations
– Changed english label of start button on Application Launcher’s Applications
page from “Start” to “Execute”. A custom label for the button can be defined with parameter:
– userinterface.launcher.displaynames.startbuttonname.
– Added possibility to add custom timezone files to /wfs/zoneinfo/ directory.
– Increased the default taskbar height to 40.

Resolved issues:

– Fixed missing desktop/menu icons with Citrix XenApp/Program Neighborhood
– Fixed matching of application names in ICA autostart list
– Fixed Citrix XenApp/Programm Neighborhood refresh command
– Fixed problems with vanishing systray icons.
– Fixed: ICA sessions are not closed anymore, when a USB headset is plugged in or out.
– Fixed window focus after closing a dialog. The focus will be set correctly.
– Added a workaround to deal with windows of a very low height, that show up.
in the taskbar although they shouldn’t (e.g. some tooltip windows in seamless
Citrix sessions). To use this, adjust the parameter
“windowmanager.wm0.variables.tooltipsize” in the registry. A useful value for
single-lined tooltip windows would be 20.

– Fixed a minor bug in xen appliance mode with german keyboard layout and numblock DEL key.

– Fixed log on with Gemalto .net cards to Windows Server 2008
– Fixed execution problems of RemoteApps with short names.

[VMware Horizon]
– Added for passthrough authentication the possibility to use the shortened
domain name instead of the fully qualified domain name, like “EXAMPLE” instead of “EXAMPLE.COM”.
To enable shortened domain name for a particular session, go in the IGEL Registry and set the key
sessions.vdm_client%.options.passthrough_shortdomain to true.
– Fixed bug regarding Horizon/RDP sessions, where session restart was not possible after closing via menu bar
(Disconnect desktop and quit).

[Dell vWorkspace Connector]
– Fixed USB Redirection issues
– Fixed hotkey handling

– Fixed system language detection in IBM iSeriesAccess sessions.
– fixed keyboard input of eastern european characters (czech, slovak, etc.)
enable registry key “iseriesaccessglobal.iso8859_2_fix”, default: Disabled

– Handling of the “default” mark of a printer configured under Devices/Printer/Thinprint/Printer has been improved.

– Improved handling of Lock keys in VNC Server. All modifiers will be cleared
by default when shadowing is started. Lock keys are handled on client side
only by default.
(registry: network.vncserver.clear_all (default: Enabled) and
network.vncserver.skip_lockkeys (default: Enabled))

– Fixed X server restart.

[Universal MultiDisplay]
– Fixed UMD screen arrangement

– Implemented SCARD_ATTR_CURRENT_PROTOCOL_TYPE in pcsc-lite; this helps smart card log on with
SafeSign minidriver
– Fixed log off with IGEL Smartcard: when additional smart card readers were added or removed during
a session, removing the smart card did not trigger log off any more.

[base system]
– Updated ca-certificates to ubuntus utopic version
The list of integrated certificates is available at:
– Fixed CVE-2014-6271 (ShellShock Bug)
– Applied bash security patches for CVE-2014-6277, CVE-2014-6278
– Fixed OpenSSL 1.0.1 security issues:
CVE-2014-0160 (heartbleed bug), CVE-2014-0076, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470,
CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-5139, CVE-2014-3512, CVE-2014-3511,
CVE-2014-3510, CVE-2014-3509, CVE-2014-3508, CVE-2014-3507, CVE-2014-3506, CVE-2014-3505,
CVE-2014-3568, CVE-2014-3567, CVE-2014-3513, CVE-2014-3569, CVE-2014-3570, CVE-2014-3571,
CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205 and CVE-2015-0206 fixed.
– Improved OpenSSL 1.0.1 security: Added support to mitigate a protocol downgrade attack
to SSLv3 that exposes the POODLE attack.
– Fixed OpenSSL 0.9.8 security issues: CVE-2014-0224, CVE-2014-0221, CVE-2014-0195,
CVE-2013-0169, CVE-2013-0166, CVE-2012-2333 and CVE-2012-0884 fixed.
– Fixed gnuTLS security issues: CVE-2014-0092, CVE-2011-4128, CVE-2012-1573, CVE-2013-1619,
CVE-2013-2116, CVE-2014-1959, CVE-2014-0092 and CVE-2014-3466 fixed.
– Fixed libtasn1-3 security issues: CVE-2012-1569, CVE-2014-3469, CVE-2014-3468 and CVE-2014-3467 fixed.
– Fixed libgcrypt11 security issues: CVE-2013-4242 and CVE-2014-5270 fixed.
– Fixed libkrb5 security issues: CVE-2010-1321, CVE-2010-1322, CVE-2010-4020, CVE-2010-1323,
CVE-2010-1324, CVE-2010-4022, CVE-2011-0281, CVE-2011-0282, CVE-2011-0284, CVE-2011-1530,
CVE-2012-1012, CVE-2012-1013, CVE-2012-1015, CVE-2012-1014, CVE-2014-4345, CVE-2014-4344,
CVE-2014-4343, CVE-2014-4342, CVE-2014-4341, CVE-2013-6800, CVE-2013-1418, CVE-2013-1416,
CVE-2013-1415 and CVE-2012-1016 fixed.
– Fixed: With Kerberos authentication, when typing a wrong password at log on or screen saver unlock,
badPwdCount in Active Directory was incremented by 2 instead of 1 and thus the
account was locked too soon.
– Added security patch to fix CVE-2014-0196
– Fix for identical custom CAs.
– Fixed CVE-2014-6271 (ShellShock Bug)
– Fixed Active Directory domain logon with user principal names (UPN): Before logon was only working
if the first part of the UPN was the same as the sAMAccountName of the user.
– Improved FAT USB Stick write performance with using flush,dirsync mount option instead of sync.
The corresponding switch is in the IGEL Registry:
– devices.autofs.automount%.sync_option, default: Disabled (default was changed)
– devices.autofs.automount%.flush_option, default: Enabled (new registry entry)
To get back old behaviour switch devices.autofs.automount%.sync_option to enabled.
– Fixed glibc 2.15 security issues: CVE-2015-0235 (GHOST), CVE-2012-6656, CVE-2014-6040,
CVE-2014-7817, CVE-2014-5119, CVE-2014-0475, CVE-2013-4458, CVE-2014-0475, CVE-2014-4043,
CVE-2013-4332, CVE-2012-4412, CVE-2012-4424, CVE-2013-0242, CVE-2013-1914, CVE-2013-4237
and CVE-2013-4332
– Fixed english label in application launcher: renamed “Start …” in context menu of
applications to “Execute …”
– On resume caps-lock/scroll-lock modifiers are reset
– Updated timezone information

[TC Setup (Java)]
– Added hint in setup tooltips that suspend option isn’t available with Universal MultiDisplay.
– Fixed alphabetical sorting of keyboard layout list on IGEL Setup page User Interface->Language.
Previously the sorting was not correct in some languages like German.

– Fixed the “Hide Cursor” feature
– Added support for DisplayPort Resolution 2560×1080
– Fixed display gamma correction setting on UD2 and UD3
– Fixed wrong background of taskbar separators after screen lock
– The System set the focus correctly on desktop after system start.
Registryparameter: userinterface.desktop.focusable must be activate.

– Fixed Genucard DHCP IP retrieval