FIRMWARE RELEASE NOTE ===================== Products affected: AXIS V5915 Release date: 2024-11-13 Release type: Production Firmware version: 8.45.4.4 Preceding release: 8.45.4.3 -------------------------------------------------------------------------------- Upgrade instructions ==================== Upgrade the firmware according to the instructions given at https://www.axis.com/ca/en/support/tecnical-notes/how-to-upgrade or howtoupgrade.txt, which is included in the firmware folder. NOTE ==================== For latest information about Axis Cybersecurity, see https://www.axis.com/se/sv/support/product-security. BEFORE upgrading from 5.75.1.13 please note the following IMPORTANT INFORMATION: As this is a very large step in Firmware versions, a Factory Default or Factory Restore of the camera is required after the update in order to ensure full functionality. This can be done via the web interface. Go to Settings > Sytem > Maintenance. More information on performing a Factory Reset can be found in the User Manual. Updates 8.45.4.4 since 8.45.4.3 ================================================ Cybersecurity: 8.45.4.4:S01 Updated Apache to version 2.4.62 to increase overall cybersecurity level. 8.45.4.4:S02 Updated OpenSSL to version 1.1.1y to increase overall cybersecurity level. 8.45.4.4:S03 Updated OpenSSH to version 9.8p1 to increase overall cybersecurity level. 8.45.4.4:S04 Updated cURL to version 8.9.0 to increase overall cybersecurity level. 8.45.4.4:S05 Updated libssh2 to version 1.11.0 to increase overall cybersecurity level. 8.45.4.4:S06 Updated Nettle cryptographic library to version 3.6 to increase overall cybersecurity level. 8.45.4.4:S07 Addressed vulnerability allowing unauthorized command execution via param.cgi. 8.45.4.4:S08 Addressed a vulnerability allowing DHCPv6 lease injection through unvalidated input parameters. 8.45.4.4:S09 Addressed vulnerabilities in GnuTLS: CVE-2024-28834 and CVE-2024-28835. 8.45.4.4:S10 Addressed CVE-2023-52160 in wpa-supplicant to increase overall minimum cybersecurity level. 8.45.4.4:S11 Addressed CVE-2024-0067, CVE-2024-6173, CVE-2024-6509. For more information, please visit the Axis vulnerability management portal. 8.45.4.4:S12 Addressed CVE-2024-0066. For more information, please visit the Axis vulnerability management portal. 8.45.4.4:S13 The parameter RemoteService.ProxyPassword that controls the proxy password has been masked and made unreadable for security reasons. 8.45.4.4:S14 Addressed CVE-2024-0054. For more information, please visit the Axis vulnerability management portal. 8.45.4.4:S15 Addressed CVE-2023-5800. For more information, please visit the Axis vulnerability management portal. Corrections: 8.45.4.4:C01 Resolved an issue where SSH users could retain access after a factory default with kept IP settings. 8.45.4.4:C02 Corrected a stream crash caused by invalid float values in CGI input. 8.45.4.4:C03 Implemented DNS cache for O3C client to reduce DNS lookups. Updates 8.45.4.3 since 8.45.4.2 ================================================ Features: 8.45.4.3:F01 Improved UPnP compliance by updating the SSDP (Simple Service Discovery Protocol) SERVER header in the standard "OS/version UPnP/1.0 product/version" format and USN (Unique Service Name) field with a UUID in the standard format. This enhances consistency and compatibility. 8.45.4.3:F02 Improved the manager client certificates and added support for installing multiple trust certificates and requesting/installing a second client certificate. Cybersecurity: 8.45.4.3:S01 Updated CURL to version 8.4.0 to increase overall cybersecurity level. 8.45.4.3:S02 Updated OpenSSL to version 1.1.1w to increase overall cybersecurity level. 8.45.4.3:S03 Updated Apache to version 2.4.57 to increase the overall cybersecurity level. 8.45.4.3:S04 Receiving ICMP secure redirects from other network hosts are now disabled to increase overall minimum cyber security level. 8.45.4.3:S05 Addressed CVE-2023-21418. For more information, please visit https://www.axis.com/support/cybersecurity/vulnerability-management. 8.45.4.3:S06 Addressed CVE-2023-21415. For more information, please visit https://www.axis.com/support/cybersecurity/vulnerability-management. Corrections: 8.45.4.3:C01 Netd Service preserves the static resolver configuration even after a soft restore, safeguarding static DNS/Search domain settings. 8.45.4.3:C02 Corrected an issue with OAK (owner authentication key). It now only produces warnings in the log instead of errors if the device is not able to connect to the internet. 8.45.4.3:C03 Corrected an issue affecting some O3C clients, that caused internal authentication requests to fail after a few days of uptime. 8.45.4.3:C04 Improved stability of syslog system by addressing a potential memory leak. 8.45.4.3:C05 Corrected an issue with the audio transmit function where the response to /axis- cgi/audio/transmit.cgi is returning a '400 Bad Request' error. 8.45.4.3:C06 Updated libupnp to version 1.14.16, solving a memory leak and improving overall stability. 8.45.4.3:C07 Corrected an issue with certificate parsing during certificate uploads. Corrections in 8.45.4.2 since 8.45.4.1 ======================================= 8.45.4.2:C01 Updated cURL to version 7.86.0 to increase overall cybersecurity level. Corrections in 8.45.4.1 since 8.45.4 ======================================= 8.45.4.1:C01 Updated OpenSSL to version 1.1.1q to increase overall cybersecurity level. 8.45.4.1:C02 Updated curl to version 7.84.0 to increase overall cybersecurity level. Corrections in 8.45.4 since 8.45.3.3 ======================================= 8.45.4:C01 Updated OpenSSL to version 1.1.1o to increase overall cybersecurity level. 8.45.4:C02 Updated Apache web server to version 2.4.54 to increase overall cybersecurity level. Corrections in 8.45.3.3 since 8.45.3.2 ======================================= 8.45.3.3:C01 General improvements to the 2018 LTS platform. 8.45.3.3:C02 Added ProxyDispatcherOnly option to the O3C/AVHS client that can control proxy configurations of dispatcher services. 8.45.3.3:C03 Corrected an issue that on some occasions could cause an H.264 stream to stall after a while if viewed in the browser. 8.45.3.3:C04 Corrected ONVIF response for WSPullPointSupport. 8.45.3.3:C05 Upgraded to OpenSSL 1.1.1l. 8.45.3.3:C06 Upgraded Apache to version 2.4.51. 8.45.3.3:C07 Corrected CVE-2021-31986. 8.45.3.3:C08 Corrected CVE-2021-31987. 8.45.3.3:C09 Corrected CVE-2021-31988. Corrections in 8.45.3.2 ================================================================================ 8.45.3.2:C1 Improved stability when using longer SDI cables. Features in 8.45.3.1 ================================================================================ 8.45.3.1:F1 Updated curl to version 7.68.0 to increase the minimum cybersecurity level Features in 8.45.3 ================================================================================ 8.45.3:F1 Axis Zipstream now supported for reduced bandwidth and storage requirements. 8.45.3:F2 Added support for ONVIF Audio Backchannel. 8.45.3:F3 New web-interface with improved usability and broader support of web-clients and operating systems. For more information please see https://www.axis.com/global/en/support/technical-notes/browser-support. 8.45.3:F4 CamStreamer ACAP updated to 3.4.2. 8.45.3:F5 Added support for AES-CBC 256-bit SD card encryption. 8.45.3:F6 Axis Video Motion Detection updated to 4.2.5. 8.45.3:F7 Added a new section "Snapshot of current CPU utilization" that prints information about CPU utilization and memory consumption of processes in the server report. 8.45.3:F8 Changed the default timeout of HTTP-Recipient based action rules from 10s to 120s to compensate for unstable networks or slow clients. After the timeout is reached, the action rule will be re-tried. 8.45.3:F9 Added the possibility for the user to share anonymous usage data with AXIS developers. 8.45.3:F10 Added support for automatically negotiating the preferred SMB protocol version with SMB 2.1 or higher in order to increase the overall minimum cybersecurity level. Please refer to the follwing FAQ for more information -> https://www.axis.com/support/faq/FAQ116392. 8.45.3:F11 Added support for ONVIF Audio Backchannel with support for G711 and G726 audio codec. Cameras are able to retrieve audio while sending an audio capable video stream with metadata in the same RTSP session. 8.45.3:F12 Updated OpenEmbedded to version Poky Rocko to increase overall cyber security level. 8.45.3:F13 Updated the maximum number of recipients for action rules to 20 from 10. 8.45.3:F14 Changed the default setting of SRTP to disabled in order to reduce the number of ports opened by default. 8.45.3:F15 Prepared support for signed firmware to increase overall cyber security level. It is planned that the product will only accept AXIS security-signed firmware starting in Q1/Q2 2019 and onwards. 8.45.3:F16 The possibility to edit scripts in camera has been disabled per default in order to increase minimum cyber security level. 8.45.3:F17 Updated NTP server (openntpd) to version 6.2p3. 8.45.3:F18 Added support for showing hidden resolutions via API. The parameter Properties.Image.ShowSuboptimalResolutions has been added which will, when enabled, show all of the products supported resolutions. 8.45.3:F19 Changed the behavior of the capture mode parameter. Changing capture mode requires a reboot now. 8.45.3:F20 Support for Firmware Recovery under Settings -> System -> Maintenance. The product is saving a restore point every time the firmware is updated, allowing the user to rollback to a previous firmware and its configuration. 8.45.3:F21 Support for HTTP keep-alive connections via ONVIF. PTZ products can now be controlled via HTTP keep-alive connections. This increases PTZ control accuracy, reduces overhead communication and therefore lowers the risk for security focused network infrastructure or unstable networks to block or drop PTZ control commands. 8.45.3:F22 Support for browser stream statistics in Live View. 8.45.3:F23 Support for Password Security Confirmation Check. To increase overall cybersecurity awareness, a user-configured password that is considered "weak" need to be confirmed actively twice by the user. 8.45.3:F24 The functionality of enabling Axis DNS Service via control button has been disabled by default. It can be enabled again using VAPIX. 8.45.3:F25 Changed the default web server authentication from Basic & Digest to Digest only. 8.45.3:F26 Upon a factory default, the camera will generate a self-signed certificate at boot and enable HTTPS. This allows clients to use encrypted access from start. If HTTPS is to be used in daily operations, it is recommended to replace the generated self-signed certificate with a CA-signed certificate. 8.45.3:F27 PTZ products can be controlled now via HTTP 1.1 keep-alive connections which increases PTZ control accuracy, reduces overhead communication and therefore lowers the risk for security focused network infrastructure to block PTZ control commands when controlling a PTZ camera. 8.45.3:F28 Support for AXIS SD card health API. The SD card health API allows a client to track and request the health and wear-out state of an camera with AXIS Surveillance SD Card. 8.45.3:F29 The Axis Media Control (AMC) is not longer embedded in the product and needs to be downloaded separately on https://www.axis.com/global/en/support/downloads /axis-media-control if needed. The Java Applet has been removed as well. 8.45.3:F30 Our ONVIF implementation have been improved by adding GetVideoEncoderConfigurationOptions extension. This makes it possible for an ONVIF client to get the bitrate range. 8.45.3:F31 Renamed "Browser Stream Statistics" to "Client Stream Information". The Client Stream Information are available in the web-interface of the camera. 8.45.3:F32 The new web-interface supports 12 different pre-installed languages which will be chosen automatically based on browser settings. Uploading individual language files is not needed anymore. 8.45.3:F33 Updated help files with more detailed information about SMB and Certificate support in AXIS products. Corrections in 8.45.3.1 ================================================================================ 8.45.3.1:C1 Corrected an issue that had removed the option to select line level audio input for 3.5mm from audio tab. 8.45.3.1:C2 Corrected an issue that had removed the option to add or remove 30dB audio boost. 8.45.3.1:C3 Corrected an issue that caused custom FTP ports to no longer function. 8.45.3.1:C4 Corrected an issue where the right audio channel failed to mute. 8.45.3.1:C5 Updated wpa-supplicant to version 2.9 and hostapd to version 2.9 to increase overall minimum cyber security level. Corrections for the following security vulnerabilities are included: CVE-2019-13377 CVE-2019-162 8.45.3.1:C6 Corrected an issue that prevented the device from resolving DNS hostnames when used in combination with SNMP. 8.45.3.1:C7 Corrected Vendor class identifier for DHCP negotiation. 8.45.3.1:C8 Corrected an issue that caused the test recipient button in the Web GUI to not work properly when setting up an event mail recipient. 8.45.3.1:C9 Corrected an issue that caused multicast redirection to fail on rare occasions. Corrections in 8.45.3 ================================================================================ 8.45.3:C1 Updated OpenSSL to version 1.1.1d to increase overall minimum cyber security level. 8.45.3:C2 Updated Apache to version 2.4.41 to increase overall minimum cyber security level. 8.45.3:C3 Update libssh2 to version 1.9.0 to increase overall minimum cyber security level. This update includes correction for CVE-2019-13115. 8.45.3:C4 Corrected the following kernel vulnerabilities to increase overall minimum cyber security level (collectively known as "TCP SACK PANIC"): CVE-2019-11477,CVE-2019-11478,CVE-2019-11479. 8.45.3:C5 Improved the certificate management system: It is now possible to upload PKCS#12 certificates with a total size of 102400 bytes. The previous limit was 1/10 of it. 8.45.3:C6 Improved the certificate management system: added support for certificate IDs with long names. 8.45.3:C7 Added support for TLSv1.3. 8.45.3:C8 Corrected security vulnerability in Systemd CVE-2019-6454 to increase overall minimum cyber security level. 8.45.3:C9 Improved the certificate management system: added system log information for failing certificate upload. 8.45.3:C10 Improved robustness of the O3C client. 8.45.3:C11 Updated OpenSSH to version 7.9p to increase overall minimum cyber security level. 8.45.3:C12 Added information about Certificate ID to the Installed Certificates section in the server report. 8.45.3:C13 Corrected the following security vulnerabilities to increase overall minimum cyber security level: CVE-2019-3855, CVE-2019-3856, CVE-2019-3857, CVE-2019-3858, CVE-2019-3859, CVE-2019-3860, CVE-2019-3861, CVE-2019-3862, CVE-2019-3863, CVE-2018-10876, CVE-2018-10877, CVE-2018-10878, CVE-2018-10879, CVE-2018-10880, CVE-2018-10881, CVE-2018-10882, CVE-2018-10883, CVE-2018-17182, CVE-2018-5390, CVE-2018-14526, CVE-2016-2147, CVE-2016-2148, CVE-2017-9798, CVE-2018-16864, CVE-2017-16544, CVE-2019-6454, CVE-2018-16865, CVE-2018-16866, CVE-2019-0217. 8.45.3:C14 Updated pre-installed Mozilla CA-certificates to versions available at 20190122. 8.45.3:C15 Added GOP Length option to the Stream Profile Settings. 8.45.3:C16 Improved list.cgi to display all installed applications (no longer limited to 8). 8.45.3:C17 Improved stability in the httptest.cgi. 8.45.3:C18 Added Firmware Recovery (Firmware Rollback) information to the server report. 8.45.3:C19 Added selection boxes for disabling TLSv1.0 and TLSv1.1 in Settings -> System -> PlainConfig -> HTTPS to enforce the highest possible TLS version for HTTPS-based connections. 8.45.3:C20 Improved HTTP image upload stability in unstable networks. 8.45.3:C21 Improved camera stability when metadata is used. 8.45.3:C22 Improved loading of the web-interface in unstable networks. 8.45.3:C23 Improved stability in actionengine (tcp notification). 8.45.3:C24 Increased the limit of concurrent HTTP requests for I/O related VAPIX commands from 4 to 10. 8.45.3:C25 Adjusted re-connection behavior of interrupted AVHS connections on AVHS-server side. The time between failed connection attempts will now gradually increase until a hard limit is reached. 8.45.3:C26 Added Perfect Forward Secrecy ciphers (DHE-RSA) to the ciphers selection. 8.45.3:C27 Added selection boxes for disabling TLSv1.0 and TLSv1.1 in Settings -> System -> PlainConfig -> HTTPS to enforce the highest possible HTTPS negotiation client handshake via TLSv1.2. 8.45.3:C28 Added a Storage Stability Helper service for better handling of Network Shares. 8.45.3:C29 Adds PID/program name to network connection list in the Server Report. 8.45.3:C30 Updated R2 GlobalSign Root Certificate to version 20170717. Required to enable Email recipients using 'Validate server certificate'. 8.45.3:C31 Added support for certificates with expiration dates beyond year 2038. 8.45.3:C32 Support for HTTP keep-alive connections via ONVIF. lowers the risk for security focused network infrastructure or unstable networks to block or drop PTZ control commands. 8.45.3:C33 Corrected an issue that let the PTZ control queue ignore an anonymous viewer account and deny PTZ control. 8.45.3:C34 Improved user notification when creating a E-mail recipient that contains wrong domain information. 8.45.3:C35 Improved camera stability when metadata is used. 8.45.3:C36 Improved camera stability when using liblicensekey. 8.45.3:C37 The correct IPv6 router IP-addresses are now shown correctly in the network interface of the web-interface and in ONVIF responses. 8.45.3:C38 Adjusted the system log messages for the NTP daemon to be more specific and highlight that there is a time drift instead of an "adjustment". 8.45.3:C39 Upgrade SSL negotiation in the AVHS client to SSLv23 instead of the deprecated TLSv1. 8.45.3:C40 The triple DES cipher is not selected as DEFAULT in the HTTPS settings to increase overall cyber security level. 8.45.3:C41 Updated the Portable UPnP SDK to 1.6.22 to increase the overall cyber security level. 8.45.3:C42 Improved stability for TCP notifications. 8.45.3:C43 Improved camera stability when TriggerData is used. Known Bugs/Limitations ================================================================================ 8.45.3.1:L1 It is not recommended to minimize an open stream tab in the GUI when using Chrome. This will cause latency that will be corrected by refreshing the browser. 8.45.3:L1 When using the Edge or Firefox web browser automatic license installation doesn't work as expected. 8.45.3:L2 Chrome will buffer the video stream if a new tab is opened in the foreground. Refresh the original tab to instead recieve the live video stream. 8.45.3:L3 It is not possible to update the product using Genetec 5.7 SR2. Genetec will provide a patch in 5.7 SR3. 8.45.3:L4 There is only one available pre-installed audio clip (Camera clicks). 8.45.3:L5 When downgrading a firmware the static IP configuration is lost. Axis recommends to perform a factory reset after downgrading. 8.45.3:L6 When performing a firmware rollback to a version older than 5.90 the database on an SD-card or the network share will be incompatible and it needs to be reformatted. 8.45.3:L7 When using an iOS device and Chrome or Safari web browser it is not possible to switch from viewer to administrator or operator. 8.45.3:L8 It is not possible to receive audio encoding details in the browser stream information. 8.45.3:L9 It is not possible to create user accounts in Microsoft Edge 38 or IE 11. More information on recommended browsers can be found here https://www.axis.com/support/technical-notes/browser-support. 8.45.3:L10 It is not possible to receive audio encoding details in the browser stream statistics. 8.45.3:L11 It is recommended to perform a factory default after downgrading the cameras firmware if needed. 8.45.3:L12 No audio support when viewing MJPEG video streams directly in the web-interface. However, a recorded video MJPEG video stream from the cameras storage can be played with audio using a 3rd party client e.g. Microsoft Windows Media Player. 8.45.3:L13 Camera is not inserting a new I-frame when a 2nd client requests a video stream via multicast through RTSP which results in additional waiting time before video streaming starts. 8.45.3:L14 Videos that have been recorded using the video capture feature in live view may not be playable in some media players (e.g. VLC) as it is in an fragmented MP4 format without total video duration. 8.45.3:L15 Some parts of the web-interface may not be fully translated. Supported AXIS VAPIX API Image Resolutions for AXIS V5914 ========================================================= Resolution Exceptions ========== ========== 1280x720 800x450 480x270 320x180 1280x960 1) 1024x768 1) 1024x576 1) 800x600 1) 768x576 1) 720x576 1) 704x576 1) 704x480 1) 704x288 1) 704x240 1) 640x480 1) 640x360 1) 480x360 1) 384x288 1) 352x288 1) 352x240 1) 320x240 1) 240x180 1) 192x144 1) 176x144 1) 176x120 1) 160x120 1) 160x90 1) 1) Not visible in web user interface