FIRMWARE RELEASE NOTE ====================== Products affected: AXIS Q2901 Release date: 2023-02-02 Release type: Production Firmware version: 6.50.5.8 Preceding release: 6.50.5.7 -------------------------------------------------------------------------------- Upgrade instructions ==================== Upgrade the firmware according to the instructions given at https://www.axis.com/ca/en/support/technical-notes/how-to-upgrade or howtoupgrade.txt, which is included in the firmware folder. NOTE ==================== For latest information about Axis Cybersecurity, see https://www.axis.com/se/sv/support/product-security. Corrections in 6.50.5.8 since 6.50.5.7 ======================================= 6.50.5.8:C01 General improvements to the platform. 6.50.5.8:C02 Disabled secure redirects from other network hosts net.ipv4.conf.all.secure_redirects & net.ipv4.conf.default.secure_redirects to increase overall minimum cybersecurity level. 6.50.5.8:C03 Corrected an issue with the audio transmit function where the response to /axis- cgi/audio/transmit.cgi is returning a '400 Bad Request' error. Corrections in 6.50.5.7 since 6.50.5.6 ======================================= 6.50.5.7:C01 General improvements to the LTS-2016 platform. 6.50.5.7:C02 Updated OpenSSL to version 1.1.1s to increase the overall cybersecurity level. 6.50.5.7:C03 Updated curl to version 7.86.0 to increase overall cybersecurity level. 6.50.5.7:C04 Updated Apache to version 2.4.54 to increase overall cybersecurity level. 6.50.5.7:C05 Corrected an issue that caused Audio via external VMS to stop working. 6.50.5.7:C06 Corrected CVE-2018-25032. 6.50.5.7:C07 Corrected an issue that caused a wrong file size to be reported for recordings larger than 50MB when using FTP. 6.50.5.7:C08 Corrected an issue where 802.1X would not trust the intermediate certificate authority (CA). Corrections in 6.50.5.6 since 6.50.5.5 ======================================= 6.50.5.6:C01 General improvements to the LTS-2016 platform. 6.50.5.6:C02 Updated wpa-supplicant to version 2.10 to increase overall minimum cybersecurity level. 6.50.5.6:C03 Receiving ICMP redirects from other network hosts are now disabled to increase overall minimum cybersecurity level. 6.50.5.6:C04 Corrected an issue with uploading RSA certificate with PKCS#8 formatted private keys. 6.50.5.6:C05 Corrected an issue that caused the Send images event to stop uploading towards a FTP server when the filename included a space (" "). 6.50.5.6:C06 Improved handling of empty recordings. 6.50.5.6:C07 Corrected CVE-2019-15916. 6.50.5.6:C08 Upgraded cURL to version 7.79.1 to increase overall cybersecurity level. 6.50.5.6:C09 Corrected CVE-2020-13848. 6.50.5.6:C10 Corrected CVE-2021-29462. 6.50.5.6:C11 Corrected an issue that caused ONVIF AbsoluteMove commands to return a 500 Internal Server Error. 6.50.5.6:C12 Updated OpenSSL to version 1.1.1o to increase the overall minimum cybersecurity level. 6.50.5.6:C13 Upgraded Apache to version 2.4.53 to increase overall cybersecurity level. 6.50.5.6:C14 Fixed file permission when using disk encryption. Corrections in 6.50.5.5 since 6.50.5.4 ======================================= 6.50.5.5:C01 General improvements to the LTS-2016 platform. 6.50.5.5:C02 Corrected CVE-2021-31986. 6.50.5.5:C03 Corrected CVE-2021-31988. 6.50.5.5:C04 Updated OpenSSL to version 1.1.1l to increase overall minimum cybersecurity level. 6.50.5.5:C05 Corrected CVE-2021-31987. 6.50.5.5:C06 Updated OpenSSH to version 8.6p1 to increase the overall minimum cybersecurity level. 6.50.5.5:C07 Updated curl to version 7.78.0 to increase overall cybersecurity level. 6.50.5.5:C08 Corrected CVE-2019-12450. 6.50.5.5:C09 Extended the 802.1x EAP-Identity field character limit from 32 to 128 characters. 6.50.5.5:C10 Corrected an issue that caused video clients such as VLC to not display a low-FPS video stream due to missing base FPS info in VUI timing info. 6.50.5.5:C11 Updated Apache to version 2.4.48 to increase overall cybersecurity level. 6.50.5.5:C12 Corrected CVE-2021-27218. 6.50.5.5:C13 Corrected CVE-2021-27219 Corrections in 6.50.5.4 since 6.50.5.3 ======================================= 6.50.5.4:C01 General improvements to the LTS-2016 platform. 6.50.5.4:C02 Corrected an issue that caused the value of Quality of Service (QoS) to not be respected in always multicast mode. 6.50.5.4:C03 Updated OpenSSL to version 1.1.1k to fix CVE-2021-3449 and CVE-2021-3450. 6.50.5.4:C04 Added support for health monitoring using Axis Micron SD card. Corrections in 6.50.5.3 since 6.50.5.2 ======================================= 6.50.5.3:C01 General improvements to the LTS-2016 platform. 6.50.5.3:C02 Updated Apache to version 2.4.46 to increase overall cyber security level. 6.50.5.3:C03 Corrected an issue that caused test button in the webGUI to not work when mounting Network Attached Storage (NAS) configured with SMB v3. Corrections in 6.50.5.2 since 6.50.5.1 ======================================= 6.50.5.2:C01 General improvements to the LTS 2016 platform. 6.50.5.2:C02 Update libssh2 to version 1.9.0 to increase overall cybersecurity. This update includes correction for CVE-2019-13115. 6.50.5.2:C03 Corrected an issue that caused old recordings to not be removed after their retention period was expired. 6.50.5.2:C04 Added possibility to retrieve the device Owner Authentication Key (OAK) in the web GUI. Note that this functionality requires that the product have direct access to the internet. 6.50.5.2:C05 Disabled the HTTP Options method in the Apache webserver replies to increase overall cyber security level. 6.50.5.2:C06 Updated OpenSSL to version 1.1.1g to increase overall cybersecurity level. 6.50.5.2:C07 Updated Apache to version 2.4.43 to increase overall cybersecurity level. 6.50.5.2:C08 Corrected a streaming issue to handle timestamps correctly after a RTSP:PAUSE/RESUME event. This could cause gaps in recordings when using Axis Media Control (AMC). 6.50.5.2:C09 Updated curl to 7.69.1 to increase overall cybersecurity level. Corrections in 6.50.5.1 since 6.50.5 ===================================== 6.50.5.1:C01 General improvements to the 2016 LTS platform. 6.50.5.1:C02 Corrections for the security vulnerability CVE-2019-16275 in wpa_supplicant/hostapd. 6.50.5.1:C03 Corrected an issue that prevented video clips to be sent from action rules using HTTPS or Email recipients. 6.50.5.1:C04 Corrected an issue that caused the database used to store DHCP adresses to be corrupted during a power cut. 6.50.5.1:C05 Added ProxyDispatcherOnly option to the O3C/AVHS client that can control proxy configurations of dispatcher services. Corrections in 6.50.5 since 6.50.4.2 ===================================== 6.50.5:C01 General improvements to the 2016 LTS platform. 6.50.5:C02 Corrected an issue causing intermittent disconnections to the camera. 6.50.5:C03 Updated libcurl to version 7.68 to increase overall cyber security. 6.50.5:C04 Corrected a streaming issue that caused the RTSP server to omit the RTP-info header on rare occasions. 6.50.5:C05 Updated OpenSSH to version 7.9p to increase overall cyber security. 6.50.5:C06 Corrected an issue that caused the test recipient button in the Web GUI to not work properly when setting up an event mail recipient. 6.50.5:C07 Updated OpenSSL to version 1.1.1d to increase overall cyber security. 6.50.5:C08 Added support for resolve domain name trap addresses in SNMP. 6.50.5:C09 Corrected a streaming issue affecting RTSP tunneled via HTTPs. 6.50.5:C10 Updated wpa-supplicant to version 2.9 to increase overall cyber-security. The following security vulnerabilites are included: CVE-2019-13377 CVE-2019-16275. Corrections in 6.50.4.2 since 6.50.4.1 ======================================= 6.50.4.2:C01 Corrected an issue that prevented the user to set the time and date manually in the WebGUI. Corrections in 6.50.4.1 since 6.50.4 ===================================== 6.50.4.1:C01 General minor improvements to the 2016 LTS platform. 6.50.4.1:C02 Updated OpenSSL to version 1.0.2t to increase overall minimum cyber security level. 6.50.4.1:C03 Updated Apache to version 2.4.41 to increase overall minimum cyber security level. 6.50.4.1:C04 Updated time zones in date/time settings in web-GUI. 6.50.4.1:C05 Corrected an issue that caused param.cgi to show password in plain text when listing a specified ACAP parameter. 6.50.4.1:C06 Added support for health status from Western Digital SD-cards. 6.50.4.1:C07 Corrected an issue that caused audio not to be included in video clips when audio encoding G711 Mulaw was enabled. 6.50.4.1:C08 Corrected an issue that caused a reboot of the camera to start an ACAP even though STARTMODE=never was set in its configuration. 6.50.4.1:C09 Correct an issue that could disconnect the camera from network share drive when CIFS (SMB) 2.x or higher is enable. Corrections in 6.50.4 since 6.55.1.3 ======================================= 6.50.4:C01 Removed the root users default password in factory defaulted firmware. The password of the root user must be set first in order to initialize VAPIX and ONVIF interfaces to allow further configuration. This change only affects products in its factory defaulted state, products that are already deployed in production systems are not affected by this update until factory defaulted. 6.50.4:C02 Corrected an issue that caused snapshot JPEG images to contain erroneous data and resulting in problems to display them in some viewers. 6.50.4:C03 Increased the limit of concurrent HTTP requests for I/O related VAPIX commands from 4 to 10. 6.50.4:C04 Corrected an issue that prevented the insertion of triggered data in SEI messages when streaming H.264. 6.50.4:C05 Updated OpenSSL to version 1.0.2s to increase overall minimum cyber security level. 6.50.4:C06 Updated libssh2 to version 1.8.2 due to that version 1.8.1 broke publickey-userauth requests. 6.50.4:C07 Updated Mozilla ca-certificates to versions available at 20190122. 6.50.4:C08 Corrected security vulnerability in Systemd CVE-2019-6454 to increase overall minimum cyber security level. 6.50.4:C09 Improved robustness of the O3C client. 6.50.4:C10 Updated Apache to version 2.4.39 to increase overall minimum cyber security level. 6.50.4:C11 Patched the following security vulnerabilities to increase overall minimum cyber security level: CVE-2019-3855, CVE-2019-3856, CVE-2019-3857, CVE-2019-3858, CVE-2019-3859, CVE-2019-3860, CVE-2019-3861, CVE-2019-3862, CVE-2019-3863. 6.50.4:C12 Corrected the following vulnerabilities in order to increase overall minimum cyber security level: CVE-2018-16865, CVE-2018-16866. 6.50.4:C13 Corrected an issue that prevented the user from uploading a certificate that contains "Bag Attributes" before and after the actual certificate content. 6.50.4:C14 Corrected an issue that caused event notifications not been triggered on storage disruption. 6.50.4:C15 Corrected an issue with HTTP response which prevented the camera from streaming on rare occasions. 6.50.4:C16 Corrected an issues that could cause an incorrect error message when testing HTTP recipient. 6.50.4:C17 Patched security vulernability in the Linux kernel CVE-2018-17182 to increase overall minimum cyber security level. 6.50.4:C18 Adjusted re-connection behavior of interrupted AVHS connections on AVHS-server side. The time between failed connection attempts will now gradually increase until a hard limit is reached. 6.50.4:C19 Patched the security vulnerability CVE-2017-16544 in BusyBox to increase overall minimum cyber security level. 6.50.4:C20 Corrected an issue in the ACAP framework that could cause ACAPs to freeze on rare occasions. 6.50.4:C21 Corrected an issue that could cause corrupted video recordings when UserData or TriggerData are enabled. Corrections in 6.55.1.3 since 6.55.1.2 ====================================== 6.55.1.3:C1 Added support for Thermal sensor with firmware revision >=28. Supported AXIS VAPIX API Image Resolutions for AXIS Q2901 ========================================================= Resolution Exceptions ========== ========== 720x576 672x512 640x512 640x480 480x360 384x288 336x256 320x256 320x240 240x180 176x144 160x128 160x120 352x288 1) 352x240 1) 240x135 1) 192x144 1) 176x120 1) 80x60 1) 1) Not visible in web user interface