DIGI EZ Accelerated Linux Serial Server

Specifications

• Manufacturer: Digi International
• Model: Digi Accelerated Linux
• Version: 24.12.153.120
• Supported Products: AnywhereUSB Plus, Connect EZ, Connect IT

Product Information
The Digi Accelerated Linux Operating System is designed for use with AnywhereUSB Plus, Connect EZ, and Connect IT product lines. It provides New Features, Enhancements, and Fixes to enhance the functionality and performance of these products.

Usage Instructions

Updating Firmware

1. Log into the Web UI.
2. Navigate to the System > Firmware Update page.
3. Click on the Download from Server tab.
4. Select the appropriate firmware version.
5. Click UPDATE FIRMWARE.
6. The device will automatically reboot once the firmware update is complete.

Best Practices
Digi recommends the following best practices:

1. Test the new release in a controlled environment before rolling it out.
2. Apply updates in the following order: Device firmware, Modem firmware, Configuration, Application.

Technical Support
Digi offers technical support via their team and online resources. Customers can access product documentation, firmware, drivers, knowledge base, and peer-to-peer support forums at https://www.digi.com/support.

INTRODUCTION

These release notes cover New Features, Enhancements, and Fixes to the Digi Accelerated Linux Operating System for AnywhereUSB Plus, Connect EZ and Connect IT product lines. For product specific release notes use the link below.
https://hub.digi.com/support/products/infrastructure-management/

SUPPORTED PRODUCTS

• AnywhereUSB Plus
• Connect EZ
• Connect IT

KNOWN ISSUES 

• Health metrics are uploaded to Digi Remote Manager unless the Monitoring > Device Health > Enable option is de-selected and either the Central Management > Enable option is de-selected or the Central Management > Service option is set to something other than Digi Remote Manager [DAL-3291]
• Due to changes in the firewall, it is currently not possible to bridge traffic from devices connected on an Ethernet port or Wi-Fi AP in a bridged interface to a remote IP device via a gateway connected to an Ethernet port in the same ridged interface. [DAL-9799]

UPDATE BEST PRACTICES
Digi recommends the following best practices:

1. Test the new release in a controlled environment with your application before rolling out this new version.
2. Unless otherwise noted, apply updates in the following order:
   1. Device firmware
   2. Modem firmware
   3. Configuration
   4. Application

Digi recommends Digi Remote Manager for automated device updates. For more information, see the Digi Remote Manager User Guide.

If you prefer manually updating one device at a time, follow these steps: 

1. Log into the Web UI.
2. Navigate to the System > Firmware Update page.
3. Click on the Download from Server tab.
4. Select the appropriate firmware version.
5. Click UPDATE FIRMWARE.
6. The device will automatically reboot once the firmware update is complete.

TECHNICAL SUPPORT
Get the help you need via our Technical Support team and online resources. Digi offers multiple support levels and professional services to meet your needs. All Digi customers have access to product documentation, firmware, drivers, knowledge base and peer-to-peer support forums.

Visit us at https://www.digi.com/support to find out more.

CHANGE LOG

Mandatory release = A firmware release with a critical or high security fix rated by CVSS score. For devices complying with ERC/CIP and PCIDSS, their guidance states that updates are to be deployed onto device within 30 days of release. Recommended release = A firmware release with medium or lower security fixes, or no security fixes

Note that while Digi categorizes firmware releases as mandatory or recommended, the decision if and when to apply the firmware update must be made by the customer after appropriate review and validation.

VERSION 24.12.153.120

(February 2025)
This is a mandatory release

ENHANCEMENTS 

1. The Digi Remote Manager Query State support has been updated with the following groups added: Wi-Fi, SureLink, Routing, IPsec, Location, Serial, DHCP lease, ARP, Containers, WAN Bonding, SCEP, NTP, Watchdog
2. Support for Modem firmware bundles has been added. Updating the modem with a firmware bundle will mean the modem will have the latest firmware version for all carriers.
3. The Primary Responder (PR) mode support has been updated with the following changes
   • The FIPS mode is now auto-enabled when PR mode is enabled.
   • Configuration restores are now prevented when in PR mode.
   • The external USB and Serial ports are now disabled by default when PR mode is enabled. They can be re-enabled by the user as required.
4. Support for configuring BGP Route Maps has been added.
5. The system log support has been updated to allow the user to select between the device’s MAC address, IP address or hostname to be included in the log messages. By default, the MAC address is used.
6. A new system custom-default-config CLI command has been added to allow the user to set and remove custom default configuration that will be used if the device is factory defaulted.
   There are three options:
   • current – Install the current configuration as a custom-default-config.bin file.
   • file – Set up a backup file as a custom-default-config.bin.
   • remove – Remove the current custom-default-config.bin and SHA file.
7. The system description, location and contact information will be displayed on the Web UI Dashboard if configured.
8. The title and help text for the SureLink Override parameter has been updated to make it clearer as to its functionality.
9. The Serial Port Exclusive setting has been renamed to Serial Port Sharing to help reduce confusion with the RealPort Exclusive setting.
10. The mettel APN has been added to the built-in APN list.

SECURITY FIXES
Package updates will include all security updates for the stated release, unless stated otherwise.

1. The Linux kernel has been updated to v6.12 [DAL-10545]
2. The OpenSSL package has been updated to v3.4.0 [DAL-10456]
3. The Python support has been updated to v3.13 [DAL-10024]
   • CVE-2024-4030 CVSS Score: 7.1 High
   • CVE-2023-40217 CVSS Score: 5.3 Medium
4. The WPA Supplicant and Hostapd packages have been updated to v2.11 [DAL-10498]
   • CVE-2023-52160 CVSS Score: 6.5 Medium
5. The PAM RADIUS support has been updated to mitigate the BlastRADIUS exploit. [DAL-9850] CVE-2024-3596 CVSS Score: NVD assessment not yet provided.
6. The Telnet support has been updated to mitigate a CVE. [DAL-10497]
   • CVE-2020-10188 CVSS Score: 9.8 Critical
7. The ShellInABox package has been updated to v2.20.1 [DAL-10586]
8. The ncurses package has been updated to v6.5 [DAL-10166]
9. The stunnel package has been updated to v5.73 [DAL-10203]
10. The IPerf service has been updated to have the Internal, Edge, IPsec and Setup zones enabled by default in the ACL. [DAL-10340]
11. The NTP service has been updated to have the Internal, Edge, IPsec and Setup zones enabled by default in the ACL. [DAL-10528]
12. The serial log filename configuration has been changes to be a relative path to help prevent path traversal attacks. [DAL-8650]

BUG FIXES 

1. An issue when attempting to connect Digi Remote Manager using a domain proxy has been resolved. [DAL-10596]
2. An issue where the preferred SIM was not being used after the device has booted has been resolved. [DAL-10823]
3. An issue with Dual APN support on Verizon has been resolved. [DAL-10715]
4. An issue with the maintenance window not working correctly has been resolved. [DAL-10890]
5. An issue with the file upload from the Digi Remote Manager has been resolved. [DAL-10898]
6. The following issues with the Digi Remote Manager Query State support have been resolved
   • The reboot count has been added to the System group. [DAL-10552]
   • The disconnect count has been added to the Ethernet group. [DAL-10551]
   • The RX and TX packet counts, 4G signal percentage and the 5G signal percentage and strength has been added to the Cellular group. [DAL-10550]
   • The Cellular firmware status having an invalid value. [DAL-10747]
   • The Cellular firmware carrier status causing an error. [DAL-10410]
   • The Cellular state has changed to “Connected” and “Not Connected” to be consistent with the Web UI and CLI. [DAL-10178]
   • The backup SIM not showing as “Not Present” when there are no SIM in both slots.[DAL-10152]
   • An issue where inconsistent SIM information was being returned in the Query State Cellular group has been resolved. [DAL-10849]
   • The DRM connection device was not set in the Query State response when in Passthrough mode. [DAL-10563]
   • The Ethernet ports being in a strange order. [DAL-10323]
   • The query state information is now resynced when the system time is set. [DAL-10689]
   • The system group not having valid disk information has been resolved. [DAL-10820]
   • The cellular group taking up to 90 seconds to gather the cellular information has been resolved. [DAL-10783]
7. An issue with the setting of the system time that could cause the health metrics from being reported has been resolved. [DAL-10790]
8. An issue with the TX40 Wi-Fi support when configuring two access points on the same band may not always initialize correctly has been resolved. [DAL-10549]
9. An issue with the new EDP client exposing the /opt/boot, /opt/config and /opt/log directories has been resolved. [DAL-10702]
10. An issue with the TX40 5G platforms not returning a TAC when in 5G NSA mode has been resolved. [DAL-10393]
11. The Wi-Fi status page in the Web UI has been updated to correctly display the signal strength of connected Wi-Fi clients. [DAL-10732]
12. An issue where the Ethernet statistics being reported in the metrics were those of the LAN bridge device rather than the individual Ethernet port has been resolved. [DAL-10555]
13. An issue where a firmware update file was not being deleted if an update via Digi Remote Manager failed leaving a shortage of space on the device has been resolved. [DAL-10632]
14. The following issues with the Configuration Rollback support have been resolved
    • The set_setting response not including the rollback_uuid. [DAL-10375, DAL-10377]
    • The device not validating that the max_wait is greater than the min_wait. [DAL-10376]
15.  An issue where the modem emulation mode could lock up if a connection attempt failed has been resolved. [DAL-10757]
16. An issue with the system find-me command on the TX40 where not all of the LEDs would flash has been resolved. [DAL-10658]
17. An issue where the PLMNID was being reported as DATA ONLY on the TX40 4G has been resolved. [DAL-10576]
18. An issue where spurious characters would be displayed with the show wan-bonding command has been resolved. [DAL-10359]
19. An issue with the SNMP support where a missing privacy password configuration could prevent the SNMPv3 user to work has been resolved. [DAL-10857]
20. An issue with DAL REST API not terminating the HTTP header correctly has been resolved.[DAL-10744]
21. Various issues with the Web UI serial page have been resolved. [DAL-10733]
22. An issue with the show wireguard verbose command has been resolved. [DAL-10889]
23. An issue where the Web UI log out was not working with on some Web UI pages has been resolved. [DAL-10315]
24. An issue with the show manufacture CLI command on the TX64 has been resolved.
25. An issue that was have causing ‘missing ]’ to be output on the TX64 serial port has been resolved.
26. An issue with the RSTP service not stopping when disabled has been resolved.

(November 2024) 
This is a mandatory release

NEW FEATURES

1. Support for a new asynchronous Query State mechanism has been added to allow the device to push detailed status information to Digi Remote Manager for the following functional groups:
   • System
   • Cloud
   • Ethernet
   • Cellular
   • Interface
2. A new Configuration Rollback feature when configuring the device using Digi Remote Manager has been added. With this rollback feature, if the device loses its connection with Digi Remote Manager due to a configuration change, it will roll back to its previous configuration and reconnect to Digi Remote Manager.

ENHANCEMENTS 

1. The defaultip and defaultlinklocal interfaces have been renamed to setupip and setuplinklocal respectively. The setupip and setuplinklocal interfaces can be used to initial connect to and do initial configuration using a common IPv4 192.168.210.1 address.
2. The cellular support has been updated to default to use CID 1 instead of 2. The device will check for a saved CID for the SIM/Modem combination before using the default CID so that existing connected device are unaffected.
3. The configuration support has been updated so that the user must re-enter their original password when changing their password.
4. Support for configuring a custom SST 5G slicing option has been added.
5. The Wireguard support has been updated on the Web UI to have a button to create peer configurations.
6. The system factory-erase CLI command has been updated to prompt the user to confirm the command. This can overridden using the force parameter.
7. Support for configuring TCP timeout values has been added. The new configuration is under the Network > Advanced menu.
8. Support for displaying a message for users not using 2FA when logging in when PrimaryResponder mode is enabled has been added.
9. The email notification support has been updated to allow the notifications to be sent to a SMTP server using no authentication.
10. The Ookla Speedtest support has been updated to include the cellular statistics when the test is run over a cellular interface.
11. The amount of messages logged by the TX40 Wi-Fi driver to prevent the system log from being saturated with Wi-Fi debug messages.
12. Support for displaying the 5G NCI (NR Cell Identity) status in DRM, Web UI and CLI has been added.
13. The CLI and Web UI Serial page has been updated to allow the user to set sequential IP port numbers for SSH, TCP, telnet, UDP services on multiple serial ports.
14. The modem logging has been updated to log the APN instead of the index and remove other unnecessary log entries.
15. The way the watchdog calculates the amount of memory that is being used has been updated.
16. The title and description for the password_pr parameter has been updated to help distinguish it from the password parameter.

SECURITY FIXES 

1. The Linux kernel has been updated to v6.10 [DAL-9877]
2. The OpenSSL package has been updated to v3.3.2 [DAL-10161]
   • CVE-2023-2975 CVSS Score: 5.3 Medium
3. The OpenSSH package has been updated to v9.8p1 [DAL-9812]
   • CVE-2024-6387 CVSS Score: 8.1 High
4. The ModemManager package has been updated to v1.22.0 [DAL-9749]
5. The libqmi package has been updated to v1.34.0 [DAL-9747]
6. The libmbim package has been updated to v1.30.0 [DAL-9748]
7. The pam_tacplus package has been updated to v1.7.0 [DAL-9698]
   • CVE-2016-20014 CVSS Score: 9.8 Critical
   • CVE-2020-27743 CVSS Score: 9.8 Critical
   • CVE-2020-13881 CVSS Score: 7.5 High
8. The linux-pam package has been updated to v1.6.1 [DAL-9699]
   • CVE-2022-28321 CVSS Score: 9.8 Critical
   • CVE-2010-4708 CVSS Score: 7.2 High
9. The pam_radius package has been updated to v2.0.0 [DAL-9805]
   • CVE-2015-9542 CVSS Score: 7.5 High
10. The unbound package has been updated to v1.20.0 [DAL-9464]
    • CVE-2023-50387 CVSS Score: 7.5 High
11. The libcurl package has been updated to v8.9.1 [DAL-10022] CVE-2024-7264 CVSS Score: 6.5 Medium
12. The GMP package has been updated to v6.3.0 [DAL-10068]
    • CVE-2021-43618 CVSS Score: 7.5 High
13. The expat package has been updated to v2.6.2 [DAL-9700]
    • CVE-2023-52425 CVSS Score: 7.5 High
14. The libcap package has been updated to v2.70 [DAL-9701]
    • CVE-2023-2603 CVSS Score: 7.8 High
15. The libconfuse package has been updated with latest patches. [DAL-9702]
    • CVE-2022-40320 CVSS Score: 8.8 High
16. The libtirpc package has been updated to v1.3.4 [DAL-9703]
    • CVE-2021-46828 CVSS Score: 7.5 High
17. The glib package has been updated to v2.81.0 [DAL-9704]
    • CVE-2023-29499 CVSS Score: 7.5 High
    • CVE-2023-32636 CVSS Score: 7.5 High
    • CVE-2023-32643 CVSS Score: 7.8 High
18. The protobuf package has been updated to v3.21.12 [DAL-9478]
    • CVE-2021-22570 CVSS Score: 5.5 Medium
19. The dbus package has been updated to v1.14.10 [DAL-9936]
    • CVE-2022-42010 CVSS Score: 6.5 Medium
    • CVE-2022-42011 CVSS Score: 6.5 Medium
    • CVE-2022-42012 CVSS Score: 6.5 Medium
20. The lxc package has been updated to v6.0.1 [DAL-9937]
    • CVE-2022-47952 CVSS Score: 3.3 Low
21. The Busybox v1.36.1 package has been patched to resolve a number of CVEs. [DAL-10231] CVE-2023-42363 CVSS Score: 5.5 Medium
    • CVE-2023-42364 CVSS Score: 5.5 Medium
    • CVE-2023-42365 CVSS Score: 5.5 Medium
    • CVE-2023-42366 CVSS Score: 5.5 Medium
22. The Net-SNMP v5.9.3 package has been updated to resolve a number of CVEs.
    • CVE-2022-44792 CVSS Score: 6.5 Medium
    • CVE-2022-44793 CVSS Score: 6.5 Medium
23. SSH support is now disabled by default for devices that have Primary Responder support enabled. [DAL-9538]
24. Support for TLS compression has been removed. [DAL-9425]
25. The Web UI session token is now expired when the user logs out. [DAL-9539]
26. The device’s MAC address has been replaced with the serial number in the Web UI login page title bar. [DAL-9768]

BUG FIXES

1. An issue where the Wi-Fi clients connected to a TX40 not being displayed on CLI show wifi ap <name> command and on the Web UI has been resolved. [DAL-10127]
2. An issue where the same ICCID was being reported for both SIM1 and SIM2 has been resolved.[DAL-9826]
3. An issue where the 5G band information was not being displayed on the TX40 has been resolved. [DAL-8926]
4. An issue where the TX40 GNSS support could lose its fix after remaining connected for many days has been resolved. [DAL-9905]
5. An issue where an invalid status could be returned to Digi Remote Manager when doing a cellular modem firmware update has been resolved. [DAL-10382]
6. The system > schedule > reboot_time parameter has been updated to be a full parameter and can now be configured via Digi Remote Manager. Previously it was an alias parameter which can be configured by Digi Remote Manager. [DAL-9755]
7. An issue where a device could get stuck using a particular SIM slot even though no SIM was detected has been resolved. [DAL-9828]
8. An issue where US Cellular would be displayed as the carrier when connected to Telus has been resolved. [DAL-9911]
9. An issue with Wireguard where the public key generated using the Web UI not being saved correctly when has been resolved. [DAL-9914]
10. An issue where IPsec tunnels disconnected when old SAs were being deleted has been resolved. [DAL-9923]
11. The 5G support on the TX54 platforms has been updated to default to NSA mode. [DAL-9953]
12. An issue where starting BGP would cause an error to be output on the Console port has been resolved. [DAL-10062]
13. An issue where a serial bridge would fail to connect when FIPS mode was enabled has been resolved. [DAL-10032]
14. The following issues with the Bluetooth scanner have been resolved
    1. Some detected Bluetooth devices where missing from data sent to remote servers. [DAL-9902]
    2. The Bluetooth scanner data being sent to remote devices did not include hostname and location fields. [DAL-9904]
15. An issue where the serial port could stall when changing the setting of a serial port has been resolved. [DAL-5230]
16. An issue where a firmware update file downloaded from Digi Remote Manager could cause the device to disconnect to more than 30 minutes has been resolved. [DAL-10134]
17. An issue with the SystemInfo group in the Accelerated MIB not being indexed correctly has been resolved. [DAL-10173]
18. An issue with the RSRP and RSRQ not being reported on TX64 5G devices has been resolved.[DAL-10211]
19. The Deutsche Telekom 26202 PLMN ID and 894902 ICCID prefix have been added to ensure the correct Provider FW is displayed. [DAL-10212]
20. The help text for the Hybrid Addressing mode has been updated to indicate that the IPv4 address mode needs to be configured to either Static or DHCP. [DAL-9866]
21. An issue where the default values for boolean parameters where not being displayed in the Web UI has been resolved. [DAL-10290]
22. An issue where a blank APN was being written in mm.json file has been resolved. [DAL-10285]
23. An issue where the watchdog would incorrectly reboot the device when the memory warning threshold is exceeded has been resolved. [DAL-10286]

(August 2024)
This is a mandatory release

BUG FIXES 

1. An issue that prevented IPsec tunnels that use IKEv2 from re-keying has been resolved. This was introduced in the 24.6.17.54 release. [DAL-9959]
2. An issue with SIM failover which could prevent a cellular connection from being established has been resolved. This was introduced in the 24.6.17.54 release. [DAL-9928]

(July 2024)
This is a mandatory release

NEW FEATURES
There are no new common features in this release.

ENHANCEMENTS 

1. The WAN-Bonding support has been enhanced with the following updates:
   1. SureLink support.
   2. Encryption support.
   3. SANE client has been updated to 1.24.1.2.
   4. Support for configuring multiple WAN Bonding servers.
   5. Enhanced status and statistics.
   6. The WAN Bonding status is now included in the metrics sent to Digi Remote Manager.
2. The cellular support has been enhanced with the following updates:
   1. The special PDP context handling for the EM9191 modem which was causing issues with some carriers. A common method is now used to set the PDP context.
   2. The cellular connection back-off algorithm has been removed as the cellular modems have built-in back off algorithms that should be used.
   3. The cellular APN lock parameter has been changed to APN selection to allow the user to select between using the built-in Auto-APN list, the configured APN list or both.
   4. The cellular Auto-APN list has been updated.
   5. The MNS-OOB-APN01.com.attz APN has been removed from the Auto-APN fallback list.
3. The Wireguard support has been updated to allow the user to generate a client configuration that can be copied onto another device. This is done using the command wireguard generate <tunnel> <peer>. Extra information may be needed from the client depending on config:
   1. How the client machine connects to the DAL device. This is needed if the client is initiating any connections and there is no keepalive value.
   2. If the client generates their own private/public key, they will need to set add that to their configuration file. If this is used with ‘Device managed public key’, every time a generate is called on a peer, a new private/public key is generated and set for that peer, this is because we do not store any private key information of any clients on the device.
4. The SureLink support has been updated to:
   1. Shutdown the cellular modem before power cycling it.
   2. Export the INTERFACE and INDEX environment variables so that they can be used in custom action scripts.
5. The Default IP network interface has been renamed to Setup IP in the Web UI.
6. The Default Link-local IP network interface has been renamed to Setup Link-local IP in the Web UI.
7. The uploading of device events to Digi Remote Manager has been enabled by default.
8. The logging of SureLink events has been disabled by default as it was causing the event log to be saturated with test pass events. SureLink messages will still appear in the system message log.
9. The show surelink command has been updated.
10. The status of the System Watchdog tests can now be obtained via Digi Remote Manager, the Web UI and using CLI command show watchdog.
11. The Speedtest support has been enhanced with the following updates:
    1. To allow it to run on any zone with src_nat enabled.
    2. Better logging when a Speedtest fails to run.
12. The Digi Remote Manager support has been updated to only re-establish connection to Digi Remote Manager if there is a new route/interface it should utilize to get to Digi Remote Manager.
13. A new configuration parameter, system > time > resync_interval, has been added to allow the user to configure the system time resynchronization interval.
14. Support for USB printers has been enabled. It is possible to configure to device to listen for printer requests via the socat command: socat – u tcp-listen:9100,fork,reuseaddr OPEN:/dev/usblp0
15. The SCP client command has been updated with a new legacy option to use the SCP protocol for file transfers instead of the SFTP protocol.
16. Serial connection status information has been added to the Query State response message that is sent to Digi Remote Manager.
17. Duplicate IPsec messages have been removed from the system log.
18. The debug log messages for the health metrics support have been removed.
19. The help text for the FIPS mode parameter has been updated to warn the user the device will automatically reboot when changed and that all configuration will be erased if disabled.
20. The help text for the SureLink delayed_start parameter has been updated.
21. Support for the Digi Remote Manager RCI API compare_to command has been added

SECURITY FIXES 

1. The setting for Client isolation on Wi-Fi Access Points has been changed to be enabled by default. [DAL-9243]
2. The Modbus support has been updated to support the Internal, Edge and Setup zones by default. [DAL-9003]
3. The Linux kernel has been updated to 6.8. [DAL-9281]
4. The StrongSwan package has been updated to 5.9.13 [DAL-9153]
   • CVE-2023-41913 CVSS Score: 9.8 Critical
5. The OpenSSL package has been updated to 3.3.0. [DAL-9396]
6. The OpenSSH package has been updated to 9.7p1. [DAL-8924]
   • CVE-2023-51767 CVSS Score: 7.0 High
   • CVE-2023-48795 CVSS Score: 5.9 Medium
7. The DNSMasq package has been updated to 2.90. [DAL-9205]
   • CVE-2023-28450 CVSS Score: 7.5 High
8. The rsync package has been updated 3.2.7 for the TX64 platforms. [DAL-9154]
   • CVE-2022-29154 CVSS Score: 7.4 High
9. The udhcpc package has been updated to resolve a CVE issue. [DAL-9202]
   • CVE-2011-2716 CVSS Score: 6.8 Medium
10. The c-ares package has been updated to 1.28.1. [DAL9293-]
    • CVE-2023-28450 CVSS Score: 7.5 High
11. The jerryscript package has been updated to resolve a number CVEs.
    • CVE-2021-41751 CVSS Score: 9.8 Critical
    • CVE-2021-41752 CVSS Score: 9.8 Critical
    • CVE-2021-42863 CVSS Score: 9.8 Critical
    • CVE-2021-43453 CVSS Score: 9.8 Critical
    • CVE-2021-26195 CVSS Score: 8.8 High
    • CVE-2021-41682 CVSS Score: 7.8 High
    • CVE-2021-41683 CVSS Score: 7.8 High
    • CVE-2022-32117 CVSS Score: 7.8 High
12.  The AppArmor package has been updated to 3.1.7. [DAL-8441]
13. The following iptables/netfilter packages have been updated [DAL-9412]
    1. nftables 1.0.9
    2. libnftnl 1.2.6
    3. ipset 7.21
    4. conntrack-tools 1.4.8
    5. iptables 1.8.10
    6. libnetfilter_log 1.0.2
    7. libnetfilter_cttimeout 1.0.1
    8. libnetfilter_cthelper 1.0.1
    9. libnetfilter_conntrack 1.0.9
    10. libnfnetlink 1.0.2
14. The following packages have been updated [DAL-9387]
    1. libnl 3.9.0
    2. iw 6.7
    3. strace 6.8
    4. net-tools 2.10
    5. ethtool 6.7
    6. MUSL 1.2.5
15. The http-only flag is now being set on Web UI headers. [DAL-9220]

BUG FIXES  

1. The WAN Bonding support has been updated with the following fixes:
   1. The client is now automatically restarted when client configuration changes are made.[DAL-8343]
   2. The client is now automatically restarted if it has stopped or crashed. [DAL-9015]
   3. The client is now not restarted if an interface goes up or down. [DAL-9097]
   4. The sent and receive statistics has been corrected. [DAL-9339]
   5. The link on the Web UI dashboard now takes the user to the Web-Bonding status page instead of the configuration page. [DAL-9272]
   6. The CLI show route command has been updated to show the WAN Bonding interface.[DAL-9102]
   7. Only the required ports rather than all ports are now opened in the firewall for incoming traffic in the Internal zone. [DAL-9130]
   8. The show wan-bonding verbose command has been updated to comply with style requirements. [DAL-7190]
   9. Data was not being sent through the tunnel due to an incorrect route metric. [DAL-9675]
   10. The show wan-bonding verbose command. [DAL-9490, DAL-9758]
   11. Reduced memory usage that causes issues on some platforms. [DAL-9609]
2. The SureLink support has been updated with the following fixes:
   1. An issue where re-configuring or remove static routes could cause routes being incorrectly added to the routing table has been resolved. [DAL-9553]
   2. An issue where static routes were not being updated if the metric was configured as 0 has been resolved. [DAL-8384]
   3. An issue where the TCP test to a hostname or FQDN can fail if the DNS request goes out of the wrong interface has been resolved. [DAL-9328]
   4. An issue where disabling SureLink after an update routing table action leaves orphaned static routes has been resolved. [DAL-9282]
   5. An issue where the show surelink command displaying incorrect status has been resolved. [DAL-8602, DAL-8345, DAL-8045]
   6. An issue with SureLink being on enabled on LAN interfaces causing issues with tests being run on other interfaces has been resolved. [DAL-9653]
3. An issue where IP packets could be sent out of the wrong interface, including those with private IP addresses which could lead to being disconnected from the cellular network has been resolved. [DAL-9443]
4. The SCEP support has been updated to resolve an issue when a certificate has been revoked. It will now perform a new enrollment request as the old key/certificates are no longer considered secure to perform a renewal. Old revoked certificates and keys are now removed from the device. [DAL-9655]
5. An issue with how OpenVPN generated in server certificates has been resolved. [DAL-9750]
6. An issue where Digi Remote Manager would continue to display a device as connected if it had been booted locally has been resolved. [DAL-9411]
7. An issue where changing the location service configuration could cause the cellular modem to disconnect has been resolved. [DAL-9201]
8. An issue with SureLink on IPsec tunnels using strict routing has been resolved. [DAL-9784]
9. A race condition when an IPsec tunnel is brought down and reestablished quickly could prevent the IPsec tunnel coming up has been resolved. [DAL-9753]
10. An issue when running multiple IPsec tunnels behind the same NAT where only interface could come up has been resolved. [DAL-9341]
11. An issue with IP Passthrough mode where the cellular interface would be brought down if the LAN interface goes down which meant the device was no longer accessible via Digi Remote Manager has been resolved. [DAL-9562]
12. An issue with multicast packets not being forwarded between bridge ports has been resolved. This issue was introduced in DAL 24.3. [DAL-9315]
13. An issue where an incorrect Cellular PLMID was being displayed has been resolved. [DAL-9315]
14. An issue with an incorrect 5G bandwidth being reported has been resolved. [DAL-9249]
15. An issue with the RSTP support where it may initialize correct in some configurations has been resolved. [DAL-9204]
16. An issue where a device would attempt to upload the maintenance status to Digi Remote Manager when it is disabled has been resolved. [DAL-6583]
17. An issue with the Web UI drag and drop support which could cause some parameters being incorrectly updated has been resolved. [DAL-8881]
18. An issue with the Serial RTS toggle pre-delay not being honored has been resolved. [DAL-9330]
19. An issue with the Watchdog triggering a reboot when not necessary has been resolved. [DAL-9257]
20. An issue where modem firmware updates would fail due to the index of the modem changing during the update and the status result not being reported to Digi Remote Manager has been resolved. [DAL-9524]
21. An issue with the cellular modem firmware update on Sierra Wireless modems has been resolved. [DAL-9471]
22. An issue with how the cellular statistics were being reported to Digi Remote Manager has been resolved. [DAL-9651]

VERSION 24.3.28.87

(March 2024)
This is a mandatory release

NEW FEATURES 

1. Support for WireGuard VPNs has been added.
2. Support for a new Ookla based speed test has been added.
   Note: This is a Digi Remote Manager exclusive feature.
3. Support for GRETap Ethernet tunneling has been added.

ENHANCEMENTS 

1. The WAN Bonding support has been updated
   1. Support for a WAN Bonding backup server has been added.
   2. The WAN Bonding UDP port is now configurable.
   3. The WAN Bonding client has been updated to 1.24.1
2. Support for configuring which 4G and 5G cellular bands can and cannot be used for a cellular connection has been added.
   Note: This configuration should be used with care as it could lead to poor cellular performance or even preventing the device from connecting to the cellular network.
3. The System Watchdog has been updated to allow for monitoring of interfaces and cellular modems.
4. The DHCP server support has been updated
   1. To offer a specific IP address for a DHCP request received on a particular port.
   2. Any requests for the NTP server and WINS server options will be ignored if the options is configured to none.
5. Support for SNMP traps to be sent when an event occurs has been added. It can be enabled on a per-event type basis.
6. Support for Email notifications to be sent when an event occurs has been added. It can be enabled on a per-event type basis.
7. A button has been added to the Web UI Modem Status page to update the modem to the latest available modem firmware image.
8. The OSPF support has been updated to add the capability to link OSPG routes through a DMVPN tunnel. There are two new configuration options
   1. A new option has been added to Network > Routes > Routing services > OSPFv2 > Interfaces > Network type to specify the network type as a DMVPN tunnel.
   2. A new Redirect setting has been added to Network > Routes > Routing services > NHRP > Network to allow redirection of packets between spokes.
9. The location service has been updated
   1. To support an interval_multiplier of 0 when forwarding NMEA and TAIP messages. In this case, the NMEA/TAIP messages will be forwarded immediately rather than caching and waiting for the next interval multiple.
   2. To only display the NMEA and TAIP filters depending on the select type.
   3. To display the HDOP value in Web UI, show location command and in the metrics pushed up to Digi Remote Manager.
10. A configuration option has been added to the Serial interface support to disconnect any active sessions if the serial port DCD or DSR pins are disconnected. A new CLI command system serial disconnect has been added to support this. The Serial status page in the Web UI has also been updated with the option.
11. The Digi Remote Manager keepalive support has been updated to more quickly detect stale connections and so can recover the Digi Remote Manager connection more quickly.
12. The redistribution of connected and static routes by BGP, OSPFv2, OSPFv3, RIP and RIPng has been disabled by default.
13. The show surelink command has been updated to have a summary view and an interface/tunnel specific view.
14. The Web UI serial status page and the show serial command have been updated to display the same information. Previously some information was only available on one or the other.
15. The LDAP support has been updated to support a group name alias.
16. Support for connecting a USB printer to a device via a USB port has been added. This feature can used via Python or socat to open a TCP port to process printer requests.
17. The default timeout of the Python digidevice cli.execute function has been updated to 30 seconds to prevent command timeouts on some platforms.
18. The Verizon 5G V5GA01INTERNET APN has been added to the fallback list.
19. The help text for modem antenna parameter has been updated to include a warning that it may cause connectivity and performance issues.
20. The help text for the DHCP hostname option parameter has been updated to clarify its use.

SECURITY FIXES 

1. The Linux kernel has been updated to version 6.7 [DAL-9078]
2. The Python support has been updated to version 3.10.13 [DAL-8214]
3. The Mosquitto package has been updated to version 2.0.18 [DAL-8811]
   • CVE-2023-28366 CVSS Score: 7.5 High
4. The OpenVPN package has been updated to version 2.6.9 [DAL-8810]
   • CVE-2023-46849 CVSS Score: 7.5 High
   • CVE-2023-46850 CVSS Score: 9.8 Critical
5. The rsync package has been updated to version 3.2.7 [DAL-9154]
   • CVE-2022-29154 CVSS Score: 7.4 High
   • CVE-2022-37434 CVSS Score: 9.8 Critical
   • CVE-2018-25032 CVSS Score: 7.5 High
6. The DNSMasq package has been patched to resolve CVE-2023-28450. [DAL-8338]
   • CVE-2023-28450 CVSS Score: 7.5 High
7. The udhcpc package has been patched to resolved CVE-2011-2716. [DAL-9202]
   • CVE-2011-2716
8. The default SNMP ACL settings have been updated to prevent access via External zone by default if the SNMP service is enabled. [DAL-9048]
9. The netif, ubus, uci, libubox packages have been updated to OpenWRT version 22.03 [DAL-8195]

BUG FIXES 

1. The following WAN Bonding issues have been resolved
   1. The WAN Bonding client is not restarted if the client stops unexpectedly. [DAL-9015]
   2. The WAN Bonding client was being restarted if an interface went up or down. [DAL-9097]
   3. The WAN Bonding interface staying disconnected if a cellular interface cannot connect. [DAL-9190]
   4. The show route command not displaying the WAN Bonding interface. [DAL-9102]
   5. The show wan-bonding command displaying incorrect interface status. [DAL-8992, DAL-9066]
   6. Unnecessary ports being opened in the firewall. [DAL-9130]
   7. An IPsec tunnel configured to tunnel all traffic whilst using a WAN Bonding interface causing the IPsec tunnel to not pass any traffic. [DAL-8964]
2. An issue where data metrics being uploaded to Digi Remote Manager being lost has been resolved. [DAL-8787]
3. An issue that caused Modbus RTUs to unexpectedly timeout has been resolved. [DAL-9064]
4. An RSTP issue with the bridge name lookup has been resolved. [DAL-9204]
5. An issue with the GNSS active antenna support on the IX40 4G has been resolved. [DAL-7699]
6. The following issues with cellular status information have been resolved
   1. Cellular signal strength percentage not being reported correctly. [DAL-8504]
   2. Cellular signal strength percentage being reported by the/metrics/cellular/1/sim/signal_percent metric. [DAL-8686]
   3. The 5G signal strength being reported for the IX40 5G devices. [DAL-8653]
7.  The following issues with the SNMP Accelerated MIB have been resolved
   1. The cellular tables not working correct on devices with cellular interfaces not called “modem” has been resolved. [DAL-9037]
   2. Syntax errors that prevented if from being correctly parsed by SNMP clients. [DAL-8800]
   3. The runtValue table not being correctly indexed. [DAL-8800]
8. The following PPPoE issues have been resolved
   1. The client session was not being reset if the server goes away has been resolved. [DAL-6502]
   2. Traffic stopping being routed after a period of time. [DAL-8807]
9. An issue with the DMVPN phase 3 support where firmware rules needed to the disabled in order to honor default routes inserted by BGP has been resolved. [DAL-8762]
10. An issue with the DMVPN support taking a long time to come up has been resolved. [DAL-9254]
11. The Location status page in the Web UI has been updated to display the correct information when the source is set to user-defined.
12. An issue with the Web UI and show cloud command displaying an internal Linux interface rather than the DAL interface has been resolved. [DAL-9118]
13. An issue with the IX40 5G antenna diversity which would cause the modem to go into a “dump” state has been resolved. [DAL-9013]
14.  An issue where devices using a Viaero SIM could not connect to 5G networks has been resolved. [DAL-9039]
15. An issue with the SureLink configuration migration resulting some blank settings has been resolved. [DAL-8399]
16. An issue where configuration was been committed at boot-up after an update has been resolved. [DAL-9143]
17. The show network command has been corrected to always display the TX and RX bytes values.
18. The NHRP support has been updated to not log messages when disabled. [DAL-9254]

(January 2024)

NEW FEATURES 

1. Support for linking OSPF routes through a DMVPN tunnel has been added.
   1. A new configuration option Point-to-Point DMVPN has been added to Network > Routes > Routing services > OSPFv2 > Interface > Network parameter.
   2. A new configuration parameter redirect has been added to the Network> Routes > Routing services > NHRP > Network configuration.
2. Support for the Rapid Spanning Tree Protocol (RSTP) has been added.

ENHANCEMENTS 

1. The EX15 and EX15W bootloader has been updated to increase the size of the kernel partition to accommodate larger firmware images in the future. Devices will need to be updated to the 23.12.1.56 firmware before updating to newer firmware in the future.
2. A new option After has been added to the Network > Modems Preferred SIM configuration to prevent a device from switching back to the preferred SIM for the configured amount of time.
3. The WAN Bonding support has been updated
   1. New options have been added to the Bonding Proxy and Client devices configuration to direct traffic from specified network through the internal WAN Bonding Proxy to provide improved TCP performance through the WAN Bonding server.
   2. New options have been added to set the Metric and Weight of the WAN Bonding route which can be used to control the priority of the WAN Bonding connection over other WAN interfaces.
4. A new DHCP server option to support BOOTP clients has been added. It is disabled by default.
5. The status of Premium Subscriptions has been added the System Support Report.
6. A new object_value argument have been added to the local Web API that can be used to configure a single value object.
7. The SureLink actions Attempts parameter has been renamed to the SureLink Test failures to better describe its use.
8. A new vtysh option has been added to the CLI to allow access to the FRRouting integrated shell.
9. A new modem sms command has been added to CLI for sending outbound SMS messages.
10. A new Authentication > serial > Telnet Login parameter to been added to control whether a user must supply authentication credentials when opening a Telnet connection to direct access a serial port on the device.
11. The OSPF support has been updated to support the setting the Area ID to an IPv4 address or a number.
12. The mDNS support has been updated to allow a maximum TXT record size of 1300 bytes.
13. The migration of the SureLink configuration from 22.11.x.x or earlier releases has been improved.
14. A new System → Advanced watchdog → Fault detection tests → Modem check and recovery configuration setting has been added to control whether the watchdog will monitor the initialization of the cellular modem inside the device and automatically take recovery actions to reboot the system if the modem doesn’t initialize properly (disabled by default).

SECURITY FIXES 

1. The Linux kernel has been updated to version 6.5 [DAL-8325]
2. An issue with sensitive SCEP details appearing the SCEP log has been resolved. [DAL-8663]
3. An issue where a SCEP private key could be read via the CLI or Web UI has been resolved. [DAL-8667]
4. The musl library has been updated to version 1.2.4 [DAL-8391]
5. The OpenSSL library has been updated to version 3.2.0 [DAL-8447]
   • CVE-2023-4807 CVSS Score: 7.8 High
   • CVE-2023-3817 CVSS Score: 5.3 Medium
6. The OpenSSH package has been updated to version 9.5p1 [DAL-8448]
7. The curl package has been updated to version 8.4.0 [DAL-8469]
   • CVE-2023-38545 CVSS Score: 9.8 Critical
   • CVE-2023-38546 CVSS Score: 3.7 Low
8. The frrouting package has been updated to version 9.0.1 [DAL-8251]
   • CVE-2023-41361 CVSS Score: 9.8 Critical
   • CVE-2023-47235 CVSS Score: 7.5 High
   • CVE-2023-38802 CVSS Score: 7.5 High
9. The sqlite package has been updated to version 3.43.2 [DAL-8339]
   • CVE-2022-35737 CVSS Score: 7.5 High
10. The netif, ubus, uci, libubox packages have been updated to OpenWRT version 21.02 [DAL-7749]

BUG FIXES 

1. An issue with serial modbus connections that cause incoming Rx responses from a serial port configured in ASCII mode if the reported length of the packet didn’t match the received length of the packet to be dropped has been resolved. [DAL-8696]
2. An issue with DMVPN that cause NHRP routing through tunnels to Cisco hubs to be unstable has been resolved. [DAL-8668]
3. An issue that prevented the handling of incoming SMS message from Digi Remote Manager has been resolved. [DAL-8671]
4. An issue that could cause a delay in connecting to Digi Remove Manager when booting up has been resolved. [DAL-8801]
5. An issue with MACsec where the interface could fail to re-establish if the tunnel connection was interrupted has been resolved. [DAL-8796]
6. An intermittent issue with the SureLink restart-interface recovery action on an Ethernet interface when re-initializing the link has been resolved. [DAL-8473]
7. An issue that prevented the Autoconnect mode on a Serial port from reconnecting until the timeout had expired has been resolved. [DAL-8564]
8. An issue that prevented IPsec tunnels from being established through a WAN Bonding interface have been resolved. [DAL-8243]
9. An intermittent issue where SureLink could trigger a recovery action for an IPv6 interface even if no IPv6 tests were configured has been resolved. [DAL-8248]
10. An issue with SureLink custom tests has been resolved. [DAL-8414]
11. A rare issue on the EX15 and EX15W where the modem could get into an unrecoverable state unless the device or modem was power cycled has been resolved. [DAL-8123]
12. An issue with LDAP authentication not working when LDAP is the only configured authentication method has been resolved. [DAL-8559]
13. An issue where local non-admin user passwords were not migrated after enabling Primary Responder mode has been resolved. [DAL-8740]
14. An issue where a disabled interface would show received/sent values of N/A in the Web UI Dashboard has been resolved. [DAL-8427]
15. An issue that prevented users from manually registering some Digi router types with Digi Remote Manager via the Web UI has been resolved. [DAL-8493]
16. An issue where the system uptime metric was reporting an incorrect value to Digi Remote Manager has been resolved. [DAL-8494]
17. An intermittent issue with migrating IPsec SureLink setting from devices running 22.11.x.x or earlier has been resolved. [DAL-8415]
18. An issue where SureLink was not reverting the routing metrics when failing back on an interface has been resolved. [DAL-8887]
19. An issue where the CLI and Web UI would not show the correct networking details when WAN Bonding was enabled has been resolved. [DAL-8866]
20. An issue with the show wan-bonding CLI command has been resolved. [DAL-8899]
21. An issue that prevents devices from connecting to Digi Remote Manager over a WAN Bonding interface has been resolved. [DAL-8882]

DIGI INTERNATIONAL

• 9350 Excelsior Blvd, Suite 700, Hopkins, MN 55343, USA
• +1 952-912-3444 | +1 877-912-3444
• www.digi.com

FAQ

What are the supported products for Digi Accelerated Linux?
The supported products for Digi Accelerated Linux are AnywhereUSB Plus, Connect EZ, and Connect IT.

How can I update the firmware manually?
To update the firmware manually, log into the Web UI, navigate to the System > Firmware Update page, select the appropriate firmware version, and click UPDATE FIRMWARE. The device will reboot automatically after the update.

What are the recommended best practices for updating the firmware?
Digi recommends testing the new release in a controlled environment before deployment and applying updates in the order of Device firmware, Modem firmware, Configuration, and Application.

Documents / Resources

DIGI EZ Accelerated Linux Serial Server [pdf] Instructions AnywhereUSB Plus, Connect IT, Connect EZ Accelerated Linux Serial Server, Connect EZ, Accelerated Linux Serial Server, Linux Serial Server, Serial Server

References

• User Manual