FIRMWARE RELEASE NOTE ====================== Products affected: AXIS Q8685-E Release date: 2020-04-23 Release type: Production Firmware version: 8.40.3.3 Preceding release: 8.40.3.2 -------------------------------------------------------------------------------- Upgrade instructions ==================== Upgrade the firmware according to the instructions given at https://www.axis.com/ca/en/support/tecnical-notes/how-to-upgrade or howtoupgrade.txt, which is included in the firmware folder. NOTE ==================== For latest information about Axis Cybersecurity, see https://www.axis.com/se/sv/support/product-security. Corrections in 8.40.3.3 since 8.40.3.2 ======================================= 8.40.3.3:C01 General improvements to the 2018 LTS platform. 8.40.3.3:C02 Improved lens correction algorithm. 8.40.3.3:C03 Added ProxyDispatcherOnly option to the O3C/AVHS client that can control proxy configurations of dispatcher services. 8.40.3.3:C04 Corrected an issue that on some occasions could cause an H.264 stream to stall after a while if viewed in the browser. 8.40.3.3:C05 Corrected ONVIF response for WSPullPointSupport. Corrections in 8.40.3.2 since 8.40.3.1 ======================================= 8.40.3.2:C01 General improvements to the 2018 LTS platform. 8.40.3.2:C02 Corrected Vendor class identifier for DHCP negotiation. 8.40.3.2:C03 Updated curl to version 7.68.0 to increase the minimum cybersecurity level. 8.40.3.2:C04 Corrected an issue that prevented the device from resolving DNS hostnames when used in combination with SNMP. 8.40.3.2:C05 Added the option to disable Web-Service Discovery (WS-Discovery) protocol in Plain Config. 8.40.3.2:C06 Corrected an issue that caused the test recipient button in the Web GUI to not work properly when setting up an event mail recipient. 8.40.3.2:C07 Corrected an issue that caused multicast redirection to fail on rare occasions. 8.40.3.2:C08 Updated Linux kernel to version 4.9.197 to increase the minimum cybersecurity level. 8.40.3.2:C09 Corrected an issue that prevented the user from exporting recordings when the product was configured to Alaska timezone. 8.40.3.2:C10 Corrected an issue that caused the EAP-START package not to be sent during IEEE 802.1x port authentication upon network link state change. 8.40.3.2:C11 Updated wpa-supplicant to version 2.9 and hostapd to version 2.9 to increase overall minimum cyber security level. Corrections for the following security vulnerabilities are included: CVE-2019-13377 CVE-2019-16275. 8.40.3.2:C12 Corrected a streaming issue affecting RTSP tunneled via HTTPs. Corrections in 8.40.3.1 since 8.40.3 ===================================== 8.40.3.1:C01 General improvements to the 2018 LTS platform. 8.40.3.1:C02 Corrected an issue that on rare occasions caused the image to go grey when streaming JPEG. 8.40.3.1:C03 Corrected an issue that caused playback from a SD card of recorded MKV files with audio to fail on rare occasions. 8.40.3.1:C04 Corrected an issue with the resolution on the ONVIF command getstatus (PTZ). 8.40.3.1:C05 Corrected an issue that caused a reboot of the camera to start an ACAP even though STARTMODE=never was set in its configuration. 8.40.3.1:C06 Corrected an issue that made it possible to add an action rule recipient without nice-name via API. 8.40.3.1:C07 Updated OpenSSL to version 1.1.1d to increase overall minimum cyber security level. 8.40.3.1:C08 Corrected an issue that caused param.cgi to show password in plain text when listing a specified ACAP parameter. 8.40.3.1:C09 Corrected a streaming issue that caused the RTSP server to omit the RTP-info header on rare occasions. 8.40.3.1:C10 Corrected an issue that caused time in recording list to be incorrect for America/Caracas, Africa/Cairo and Asia/Baku. 8.40.3.1:C11 Added white light illumination event action. 8.40.3.1:C12 Updated Apache to version 2.4.41 to increase overall minimum cyber security level. 8.40.3.1:C13 Corrected an issue that caused fan status not to be reported correctly via SNMP. 8.40.3.1:C14 Corrected an issue that caused parameter hidden:on_off in the Axis ACAP SDK to not work properly. 8.40.3.1:C15 Corrected an issue that caused a log in pop-up to appear in the WebGUI after a factory default even though no users had been configured yet. 8.40.3.1:C16 Added support for health status from Western Digital SD-cards. 8.40.3.1:C17 Corrected an issue that caused the capture_open_stream API in the Axis ACAP SDK to not work properly. Corrections in 8.40.3 since 8.40.2.2 ===================================== 8.40.3:C01 General minor improvements to the 8.40 LTS platform. 8.40.3:C02 Removed the root users default password in factory defaulted firmware. The password of the root user must be set first in order to initialize VAPIX and ONVIF interfaces to allow further configuration. This change only affects products in its factory defaulted state, products that are already deployed in production systems are not affected by this update until factory defaulted. 8.40.3:C03 Update libssh2 to version 1.9.0 to increase overall minimum cyber security level. This update includes correction for CVE-2019-13115. Corrections in 8.40.2.2 since 8.40.2.1 ======================================= 8.40.2.2:C01 General minor improvements to the 8.40 LTS platform. 8.40.2.2:C02 Corrected the following kernel vulnerabilities to increase overall minimum cyber security level (collectively known as "TCP SACK PANIC"): CVE-2019-11477, CVE-2019-11478, CVE-2019-11479. 8.40.2.2:C03 Corrected an issue that caused problems accessing devices via O3C/Axis Guardian using Microsoft Edge browser. 8.40.2.2:C04 Improved the certificate management system: It is now possible to upload PKCS#12 certificates with a total size of 102400 bytes. The previous limit was 1/10 of it. 8.40.2.2:C05 Corrected an issue that caused some users not to be displayed in the webGUI's user list on rare occasions. 8.40.2.2:C06 Improved the certificate management system: added support for certificate IDs with long names. 8.40.2.2:C07 Updated openSSL to version 1.1.1c to increase overall minimum cyber security level. 8.40.2.2:C08 Added support for TLSv1.3. 8.40.2.2:C09 Corrected security vulnerability in Systemd CVE-2019-6454 to increase overall minimum cyber security level. 8.40.2.2:C10 Improved the certificate management system: added system log information for failing certificate upload. 8.40.2.2:C11 Corrected an issue that caused SMB connection problems to NetApp NAS configured for SMBv2. 8.40.2.2:C12 Updated libssh2 to version 1.8.2 due to that version 1.8.1 broke publickey-userauth requests. 8.40.2.2:C13 Corrected an issue that caused images to be unusually dark in WDR mode on rare occasions. Corrections in 8.40.2.1 since 8.40.2 ===================================== 8.40.2.1:C01 General minor improvements to the 8.40 LTS platform. 8.40.2.1:C02 Updated Apache to version 2.4.39 to increase overall minimum cyber security level. 8.40.2.1:C03 Improved robustness of the O3C client. 8.40.2.1:C04 Updated OpenSSL to version 1.1.1b to increase overall minimum cyber security level. 8.40.2.1:C05 Updated OpenSSH to version 7.9p to increase overall minimum cyber security level. 8.40.2.1:C06 Added information about Certificate ID to the Installed Certificates section in the server report. Corrections in 8.40.2 since 8.40.1.2 ===================================== 8.40.2:C01 General minor improvements to the 8.40 LTS platform. 8.40.2:C02 Added OnScreenControl support for wiper. 8.40.2:C03 Corrected the following security vulnerabilities to increase overall minimum cyber security level: CVE-2019-3855, CVE-2019-3856, CVE-2019-3857, CVE-2019-3858, CVE-2019-3859, CVE-2019-3860, CVE-2019-3861, CVE-2019-3862, CVE-2019-3863. 8.40.2:C04 Corrected security vulnerability CVE-2019-0217 in Apache to increase overall minimum cyber security level. 8.40.2:C05 Corrected security vulnerability CVE-2017-16544 in BusyBox to increase overall minimum cyber security level. 8.40.2:C06 Corrected an issue that caused a viewer user to not be able to obtain the list of image resolution properties via param.cgi. 8.40.2:C07 Corrected an issue in the Web-GUI that prevented to upload a Client Certificate or CA certificate using the Edge browser. 8.40.2:C08 Corrected an issue that caused excessive prints of the limits.cgi to the system logs. 8.40.2:C09 Updated pre-installed Mozilla CA-certificates to versions available at 20190122. 8.40.2:C10 Added GOP Length option to the Stream Profile Settings. 8.40.2:C11 Corrected the following vulnerabilities in order to increase overall minimum cybersecurity level: CVE-2018-16864, CVE-2018-16865, CVE-2018-16866. 8.40.2:C12 Updated OpenSSL to version 1.0.2r to increase overall minimum cyber security level. 8.40.2:C13 Corrected an issue with timestamps in the RTCP Sender Report that could cause RTSP recordings/playbacks not to work correctly in some video players using the Live555 library such as VLC and ffmpeg. Corrections in 8.40.1.2 since 8.40.1.1 ======================================= 8.40.1.2:C01 General minor improvements to the 8.40 LTS platform. 8.40.1.2:C02 Corrected an issue in the web GUI when creating a preset position and the language was set to German. 8.40.1.2:C03 Corrected an issue that could cause the camera to get unresponsive when two clients are streaming over multicast using the same streaming parameters. 8.40.1.2:C04 Upgraded Apache to version 2.4.38 to increase overall minimum cyber security level. 8.40.1.2:C05 Corrected an issue with Always Multicast over IPv6. 8.40.1.2:C06 Corrected an issue that caused factory default settings to not be applied correctly when upgrading from a firmware version prior to 6.20. 8.40.1.2:C07 Corrected an issue in the web GUI that caused IO Port values to be displayed incorrectly. 8.40.1.2:C08 Corrected an issue that caused Recorded Guard Tour not to work properly on rare occasions. 8.40.1.2:C09 Improved re-connection behavior to AVHS server. The time between failed connection attempts will now gradually increase until a hard limit is reached. New features in 8.40.1.1 ================================================================================ 8.40.1.1:F1 The FTP Server is now disabled by default as it is not used during normal operation and may pose a security risk. The FTP Server may be enabled during advanced maintenance or troubleshooting in Settings -> System -> PlainConfig -> Network. 8.40.1.1:F2 Apache web server has been updated to version 2.4.35. 8.40.1.1:F3 New web-interface with improved usability and broader support of web-clients and operating systems. For more information please see https://www.axis.com/global/en/support/technical-notes/browser-support. 8.40.1.1:F4 The new web-interface supports 12 different pre-installed languages which will be chosen automatically based on browser settings. Uploading individual language files is not needed anymore. Supported Languages: English - German - French - Spanish - Italian - Portugese - Polish - Russian - Japanese - Chinese (Mainland) - Chinese (Taiwan) - Korean 8.40.1.1:F5 Pressing "Download the server report" in System -> Maintenance will now automatically attach a snapshot of the image to the .zip file in order to simplify support. 8.40.1.1:F6 AXIS Motion Guard is now pre-installed. 8.40.1.1:F7 AXIS Fence Guard is now pre-installed. 8.40.1.1:F8 Support for SRTP (Encrypted Video Streaming) according to RFC 3711. The cameras video stream can be received via secure end-to-end encrypted transportation method only by authorized clients. 8.40.1.1:F9 Support for day / night shift level adjustment. 8.40.1.1:F10 Support for Adaptive Resolution. Adaptive Resolution is enabled per default and takes only effect when viewing live stream in the web-interface. The viewing client will receive a image resolution that is adapted or close to the viewing clients real display resolution to improve the user experience. 8.40.1.1:F11 Support for Zipstream Dynamic FPS - Lower Limit Support for Zipstream Dynamic GOP - Upper Limit It is now possible to further adjust and set limits for Dynamic FPS and Dynamic GOP settings and can be configured under Stream settings -> Zipstream. 8.40.1.1:F12 Support for Flash All/Factory Default while performing a firmware update. It is now possible to select an option that will factory default the camera after a firmware update/downgrade has been performed under Settings -> System -> Maintenance. 8.40.1.1:F13 Changed the default setting of SRTP to disabled in order to reduce the number of ports opened by default. 8.40.1.1:F14 AXIS Video Motion Detection 4.2-5 is now pre-installed. 8.40.1.1:F15 Prepared support for signed firmware to increase overall cyber security level. It is planned that the product will only accept AXIS security-signed firmware starting in Q1/Q2 2019 and onwards. Corrections in 8.40.1.1 ================================================================================ 8.40.1.1:C1 Corrected an issue that caused the camera to stop streaming on rare occasions. 8.40.1.1:C2 Corrected an issue when an ONVIF client connected to the camera via digest authentication. 8.40.1.1:C3 Reduced the waiting time for receiving a video stream significantly when a 2nd client requests a video stream via multicast. 8.40.1.1:C4 Fixed critical vulnerability ACV-116267. 8.40.1.1:C5 The area zoom functionality has been removed from the web-interface. Area zoom was used to draw a rectangle in the live view to let the camera either mechanical or digital PTZ to its desired position. 8.40.1.1:C6 Corrected an issue that delivered E-Mails send from the camera with a wrong time stamp in the e-mail header. 8.40.1.1:C7 Corrected an issue with FTP recipients configured with a DNS name instead of a static IP-address which caused the FTP recipient test or action rule to fail. 8.40.1.1:C8 Corrected an issue that let the recorded video to the computer using the Video Capture button be incorrectly displayed or unusable on some rare occasions. 8.40.1.1:C9 Corrected critical vulnerability ACV-128401. 8.40.1.1:C10 Increased user awareness when converting legacy overlays to dynamic overlays. A restart of ongoing recordings is required after overlay conversion. 8.40.1.1:C11 Corrected an issue that could cause the configuration file upload from ADM to camera to fail. 8.40.1.1:C12 Patched security vulnerability CVE-2018-5390 to increase overall minimum cyber security level. 8.40.1.1:C13 Patched security vulernability CVE-2018-14526 to increase overall minimum cyber security level. Known Bugs/Limitations ================================================================================ 8.40.3:L1 There might be features currently explained in the help files that may not be supported by the camera. 8.40.3:L2 Videos recorded using the video capture feature in Live View may not be playable or might get stuck in some media players. This was seen e.g. with Windows Media Player. 8.40.3:L3 An overlay text (e.g. date/time modifier) that has been configured in the classic web-interface will still be shown in the new web-interface even though a user might have disabled the overlay text there after firmware update. A user needs to disable the overlay text in the Plain config. Untick the checkboxes for Image Ix Text -> ClockEnabled and DateEnabled. 8.40.3:L4 IEEE 802.1x configuration does not work in Microsoft Edge. 8.40.3:L5 A user might experience frame drops on rare conditions when video streaming in Firefox 57 due to specific computer hardware. It is recommended to use Google Chrome instead. 8.40.3:L6 It is recommended to refresh the browser with F5 after doing a FW upgrade from FW 6.xx to 8.xx or higher in order to show all the new settings in the web- interface. Supported AXIS VAPIX API Image Resolutions for AXIS Q8685-E ================================================================= Resolution Exceptions ========== ========== 1920x1080 2) 1280x720 800x450 480x270 320x180 1400x1050 1) 2) 1280x960 1) 2) 1024x768 1) 2) 1024x640 1) 1024x576 1) 800x600 1) 768x576 1) 720x576 1) 704x576 1) 704x480 1) 640x480 1) 640x400 1) 640x360 1) 704x288 1) 480x360 1) 704x240 1) 480x300 1) 384x288 1) 352x288 1) 352x240 1) 320x240 1) 320x200 1) 240x180 1) 192x144 1) 176x144 1) 176x120 1) 160x120 1) 160x100 1) 160x90 1) 80x50 1) analyze 1) 1) Not visible in web user interface 2) 1080p 1920x1080 (16:9) @ 25/30 fps Known Bugs/Limitations ================================================================================ 8.40.3:L1 There might be features currently explained in the help files that may not be supported by the camera. 8.40.3:L2 Videos recorded using the video capture feature in Live View may not be playable or might get stuck in some media players. This was seen e.g. with Windows Media Player. 8.40.3:L3 An overlay text (e.g. date/time modifier) that has been configured in the classic web-interface will still be shown in the new web-interface even though a user might have disabled the overlay text there after firmware update. A user needs to disable the overlay text in the Plain config. Untick the checkboxes for Image Ix Text -> ClockEnabled and DateEnabled. 8.40.3:L4 IEEE 802.1x configuration does not work in Microsoft Edge. 8.40.3:L5 A user might experience frame drops on rare conditions when video streaming in Firefox 57 due to specific computer hardware. It is recommended to use Google Chrome instead. 8.40.3:L6 It is recommended to refresh the browser with F5 after doing a FW upgrade from FW 6.xx to 8.xx or higher in order to show all the new settings in the web- interface. Supported AXIS VAPIX API Image Resolutions for AXIS Q8685-E ================================================================= Resolution Exceptions ========== ========== 1920x1080 2) 1280x720 800x450 480x270 320x180 1400x1050 1) 2) 1280x960 1) 2) 1024x768 1) 2) 1024x640 1) 1024x576 1) 800x600 1) 768x576 1) 720x576 1) 704x576 1) 704x480 1) 640x480 1) 640x400 1) 640x360 1) 704x288 1) 480x360 1) 704x240 1) 480x300 1) 384x288 1) 352x288 1) 352x240 1) 320x240 1) 320x200 1) 240x180 1) 240x135 1) 192x144 1) 176x144 1) 176x120 1) 160x120 1) 160x100 1) 160x90 1) 80x50 1) analyze 1) 1) Not visible in web user interface 2) 1080p 1920x1080 (16:9) @ 25/30 fps