24.10.001 changelog

24.10.001

Released on 9 October, 2024.

Client

Previously the re-authentication mechanism may prompt before it was possible (by network circumstance) to authenticate. This build checks for an “OK” response from the required endpoint before prompting the user.

In 24.09.007 an issue where the highest upgrade would be re-applied has been resolved.

In 24.09.007 gossiped ephemeral messages between nodes in large clusters could pass a size boundary which would crash the node. These messages are now dropped and logged.
Controllers would sometimes run the zebra.service daemon even when BGP was not enabled. This service now only runs when necessary.
Fixed an issue in which mgmtd-config.service or bgpd-config.service units might have failed during Controller upgrade.
The /sos HTTP endpoint now denies access unless the request originates from a logged-in user. If you need public access for Controller SoS bundles, consider using the Control Plane support page, the port :911 HTTP endpoint, or the sos terminal command.

A grace period can be configured for user authentication sessions. on the /configuration page if you have user device disassociation time set you may also set a grace period. For example if you set the timer to 12 hours, and the grace period to 1 hour, the user will be prompted starting at hour 11 after authentication, but the policy engine will not disassociate the user and the device until hour 12.
Access policy performance for TCP flows has increased.
Logging verbosity around device<->user binding and user authorization has increased. All events regarding this are labeled audit_event=true
Logs related to supporting BGP daemons are now included in Controller support bundles.
Controller gce and gce-efi images now include google-cloud-sdk.

A new field named commentary is now present on reported vulnerabilities. If set, the contents of the field explain why the vulnerability presents a reduced risk to the given software package.