FIRMWARE RELEASE NOTE ====================== Products affected: AXIS P3905-R-MkII Release date: 2019-04-23 Release type: Production Firmware version: 8.40.2 Preceding release: 8.40.1.2 -------------------------------------------------------------------------------- Upgrade instructions ==================== Upgrade the firmware according to the instructions given at https://www.axis.com/ca/en/support/tecnical-notes/how-to-upgrade or howtoupgrade.txt, which is included in the firmware folder. NOTE ==================== For latest information about Axis Cybersecurity, see https://www.axis.com/se/sv/support/product-security. Corrections in 8.40.2 since 8.40.1.2 ===================================== 8.40.2:C01 General minor improvements to the 8.40 LTS platform. 8.40.2:C02 Corrected the following security vulnerabilities to increase overall minimum cyber security level: CVE-2019-3855, CVE-2019-3856, CVE-2019-3857, CVE-2019-3858, CVE-2019-3859, CVE-2019-3860, CVE-2019-3861, CVE-2019-3862, CVE-2019-3863. 8.40.2:C03 Corrected security vulnerability CVE-2019-0217 in Apache to increase overall minimum cyber security level. 8.40.2:C04 Corrected security vulnerability CVE-2017-16544 in BusyBox to increase overall minimum cyber security level. 8.40.2:C05 Corrected an issue that caused a viewer user to not be able to obtain the list of image resolution properties via param.cgi. 8.40.2:C06 Corrected an issue in the Web-GUI that prevented to upload a Client Certificate or CA certificate using the Edge browser. 8.40.2:C07 Updated pre-installed Mozilla CA-certificates to versions available at 20190122. 8.40.2:C08 Added GOP Length option to the Stream Profile Settings. 8.40.2:C09 Corrected the following vulnerabilities in order to increase overall minimum cybersecurity level: CVE-2018-16864, CVE-2018-16865, CVE-2018-16866. 8.40.2:C10 Updated OpenSSL to version 1.0.2r to increase overall minimum cyber security level. 8.40.2:C11 Corrected an issue with timestamps in the RTCP Sender Report that could cause RTSP recordings/playbacks not to work correctly in some video players using the Live555 library such as VLC and ffmpeg. Corrections in 8.40.1.2 since 8.40.1.1 ======================================= 8.40.1.2:C01 General minor improvements to the 8.40 LTS platform. 8.40.1.2:C02 Corrected an issue in the web GUI when creating a preset position and the language was set to German. 8.40.1.2:C03 Corrected an issue that could cause the camera to get unresponsive when two clients are streaming over multicast using the same streaming parameters. 8.40.1.2:C04 Upgraded Apache to version 2.4.38 to increase overall minimum cyber security level. 8.40.1.2:C05 Corrected an issue with Always Multicast over IPv6. 8.40.1.2:C06 Corrected an issue that caused factory default settings to not be applied correctly when upgrading from a firmware version prior to 6.20. 8.40.1.2:C07 Corrected an issue in the web GUI that caused IO Port values to be displayed incorrectly. 8.40.1.2:C08 Corrected an issue that caused Recorded Guard Tour not to work properly on rare occasions. 8.40.1.2:C09 Improved re-connection behavior to AVHS server. The time between failed connection attempts will now gradually increase until a hard limit is reached. New features in 8.40.1.1 ================================================================================ 8.40.1.1:F1 The FTP Server is now disabled by default as it is not used during normal operation and may pose a security risk.The FTP Server may be enabled during advanced maintenance or troubleshooting in Settings -> System -> PlainConfig -> Network. 8.40.1.1:F2 Support for Brute Force Delay Protection. The product can block a client for a period of time if too many login attempts failed. Brute Force Delay Protection can be configured under System -> PlainConfig -> System -> System PreventDoSAttack. 8.40.1.1:F3 The former user group selections for HTTPS Connection Policy (administrator, operator, viewer) have been merged to one single HTTPS Connection Policy. 8.40.1.1:F4 New web-interface with improved usability and broader support of web-clients and operating systems. For more information please see https://www.axis.com/global/en/support/technical-notes/browser-support. 8.40.1.1:F5 The new web-interface supports 12 different pre-installed languages which will be chosen automatically based on browser settings. Uploading individual language files is not needed anymore. Supported Languages: English - German - French - Spanish - Italian - Portugese - Polish - Russian - Japanese - Chinese (Mainland) - Chinese (Taiwan) - Korean 8.40.1.1:F6 Support for automatic license key installation when installing an ACAP under Settings -> Apps. 8.40.1.1:F7 The new web-interface is notifying the viewer in the Live View that the video stream lags and recommends to may refresh the browser or restart the video stream manually. However, the web-interface is automatically refreshing the video stream in case the video lag increases too much. Lagging video streams can be caused by outdated browser versions or insufficient computer performance. 8.40.1.1:F8 The following features have been added to the new web-interface: Image: - BDC (Barrell Distortion Correction) - Backfocus Configuration Settings: - SNMP Live View: - Local Video Recording to Computer View Areas: - Auto select best matching resolution/aspect ratio 8.40.1.1:F9 Pressing "Download the server report" in System -> Maintenance will now automatically attach a snapshot of the image to the .zip file in order to simplify support. 8.40.1.1:F10 Support for SRTP (Encrypted Video Streaming) according to RFC 3711. The cameras video stream can be received via secure end-to-end encrypted transportation method only by authorized clients. 8.40.1.1:F11 A parameter called "Enable the script editor (editcgi)" has been added to plain config -> system section to enable/disable the feature. Editcgi will be removed in future completely and function is considered deprecated. 8.40.1.1:F12 Support for Adaptive Resolution. Adaptive Resolution is enabled per default and takes only effect when viewing live stream in the web-interface. The viewing client will receive a image resolution that is adapted or close to the viewing clients real display resolution to higher the user experience. 8.40.1.1:F13 Support for Zipstream Dynamic FPS - Lower Limit Support for Zipstream Dynamic GOP - Upper Limit It is now possible to further adjust and set limits for Dynamic FPS and Dynamic GOP settings and can be configured under Stream settings -> Zipstream. 8.40.1.1:F14 Support for Flash All/Factory Default while performing a firmware update. It is now possible to select an option that will factory default the camera after a firmware update/downgrade has been performed under Settings -> System -> Maintenance. 8.40.1.1:F15 Added a link under Settings -> Apps for the user to get fast-access to information about available ACAPs on www.axis.com/products/analytics-and-other- applications. 8.40.1.1:F16 Support for Password Security Confirmation Check. To increase overall cybersecurity awareness, a user-configured password that is considered "weak" need to be confirmed actively twice by the user. 8.40.1.1:F17 Changed the default setting of SRTP to disabled in order to reduce the number of ports opened by default. 8.40.1.1:F18 AXIS Video Motion Detection 4.2.4 is now pre-installed. 8.40.1.1:F29 Prepared support for signed firmware to increase overall cyber security level. It is planned that the product will only accept AXIS security-signed firmware starting in Q1/Q2 2019 and onwards. 8.40.1.1:F20 Updated Apache to version 2.4.35 to increase overall minimum cyber security level. 8.40.1.1:F21 Updated to OpenSSL version 1.0.2p to increase overall minimum cyber security level. Corrections in 8.40.1.1 ================================================================================ 8.40.1.1:C1 Corrected a bug that denied the access to the camera when AXIS Companion / Remote Access is used when web server connection policy was set to "HTTPS only". 8.40.1.1:C2 It is now possible to fast forward/rewind to any time in a selected recording using the web interface. 8.40.1.1:C3 It is now possible to encrypt SD card from Mozilla Firefox. 8.40.1.1:C4 Corrected an issue that caused the camera to stop streaming on rare occasions. 8.40.1.1:C5 Corrected an issue in the event system that prevented the camera from re-sending the SMTP notification every 10 seconds in case the receiving server reported an error. 8.40.1.1:C6 The web-interface is showing now the correct day selection of a Axis Companion configured time schedule. Previously the Sunday was unchecked every time when minimum one more day was not selected too. 8.40.1.1:C7 Corrected a issue resulting in 503 Service Unavailable when trying to play a recording from a camera with a specific time range via ONVIF. 8.40.1.1:C8 Corrected an issue with an additional sign / in the absolute upload path of an SFTP Recipient when saving the action rule causing it to not work correctly. 8.40.1.1:C9 Corrected an issue when an ONVIF client connected to the camera via digest authentication. 8.40.1.1:C10 Fixed memory leak in wsd daemon that e.g. handles ONVIF requests. 8.40.1.1:C11 Reduced the waiting time for receiving a video stream significantly when a 2nd client requests a video stream via multicast. 8.40.1.1:C12 Fixed critical vulnerability ACV-116267. 8.40.1.1:C13 The area zoom functionality has been removed from the web-interface. Area zoom was used to draw a rectangle in the live view to let the camera either mechanical or digital PTZ to its desired position. 8.40.1.1:C14 Corrected an issue that delivered E-Mails send from the camera with a wrong time stamp in the e-mail header. 8.40.1.1:C15 Corrected an issue with FTP recipients configured with a DNS name instead of a static IP-address which caused the FTP recipient test or action rule to fail. 8.40.1.1:C16 Corrected an issue that let the recorded video to the computer using the Video Capture button be incorrectly displayed or unusable in some rare occasions. 8.40.1.1:C17 Corrected security vulnerability CVE-2016-2147 and CVE-2016-2148. 8.40.1.1:C18 Corrected critical vulnerability ACV-120444. 8.40.1.1:C19 Corrected an issue that let a configured overlay disappear when switching to Image or View Area Tab. 8.40.1.1:C20 Corrected an issue that required the user to enter login credentials when anonymous viewer is enabled. 8.40.1.1:C21 Corrected an issue that prevented trigger data to be inserted in every I-frame and when motion detection triggers. 8.40.1.1:C22 Corrected an issue that could cause noise in images in rare occasions. 8.40.1.1:C23 Corrected critical vulnerability ACV-128401. 8.40.1.1:C24 Corrected an issue that caused the image to be cut off in full screen mode in the live view when rotated 90 or 270 degrees. 8.40.1.1:C25 Corrected an issue with the AXIS event handler registration for ADP partners. 8.40.1.1:C26 Corrected an issue that caused the camera to become unreachable via link local address in the network when connecting client was in another subnet. 8.40.1.1:C27 Corrected an issue that caused the camera to become unresponsive on rare occasions when running ACAPs without specified ApplicationId. 8.40.1.1:C28 Increased user awareness when converting legacy overlays to dynamic overlays. A restart of ongoing recordings is required after overlay conversion. 8.40.1.1:C29 Corrected an issue with the Axis event handling interface when deactivating events. 8.40.1.1:C30 Added selection boxes for disabling TLSv1.0 and TLSv1.1 in Settings -> System -> PlainConfig -> HTTPS to enforce the highest possible TLS version for HTTPS-based connections. 8.40.1.1:C31 Corrected an issue in the ACAP framework that caused installed ACAPs to become unresponsive and the Apps tab not to be shown correctly. 8.40.1.1:C32 Corrected an issue that caused AXIS Perimeter Defender or SafeZoneEdge to stop working after a firmware upgrade. 8.40.1.1:C33 Corrected an issue that could cause the configuration file upload from ADM to camera to fail. 8.40.1.1:C34 Patched security vulnerability CVE-2018-5390 to increase overall minimum cyber security level. 8.40.1.1:C35 Corrected an issue that prevented the user from receiving the correct recording list in AXIS Companion in combination with view areas or multi-sensor products. 8.40.1.1:C36 Patched security vulernability CVE-2018-14526 to increase overall minimum cyber security level. 8.40.1.1:C37 Corrected an issue that prevented the user to video stream to two multicast destinations with the same port range. 8.40.1.1:C38 Corrected an issue that could cause incorrect snapshot resolutions on view areas. 8.40.1.1:C39 Patched security vulernability CVE-2018-17182 to increase overall minimum cyber security level. 8.40.1.1:C40 Patched the following security vulnerabilities to increase overall minimum cyber security level: CVE-2018-10876 - CVE-2018-10877 CVE-2018-10878 - CVE-2018-10879 CVE-2018-10880 - CVE-2018-10881 CVE-2018-10882 - CVE-2018-10883 8.40.1.1:C41 Corrected an issue that caused an HTTP-recipient based action rule to fail when the response from the server excluded the textual phrase (Example: HTTP 200). This will work now. 8.40.1.1:C42 Corrected an issue that corrupted the file integrity of a JPEG image without any further impact to the visible image quality. 8.40.1.1:C43 Corrected an issue that prevented the user from uploading a certificate that contains "Bag Attributes" before and after the actual certificate content. 8.40.1.1:C44 Corrected an issue that was showing "User Defined" or "User Defined 20000000" in the shutter list. 8.40.1.1:C45 Corrected an issue that could cause the camera to become unresponsive in rare occasions when connected to an AVHS system. 8.40.1.1:C46 Corrected security vulnerability CVE-2017-9798. 8.40.1.1:C47 Corrected an issue that made it necessary to login twice when connecting to the web-interface using Microsoft Edge. 8.40.1.1:C48 Corrected an issue that prevented the use of the whole sensor width for some aspect ratios. 8.40.1.1:C49 Corrected an issue that prevented the user from formatting SD cards and the web- interface to show incorrect information about network share status in Settings -> System -> Storage. 8.40.1.1:C50 Corrected an issue that could cause a network share to become read-only. Known Bugs/Limitations ================================================================================ 8.40.2:L1 Privacys masks names that have been created in the classic web-interface may have a malformed name in the new web-interface (e.g. "Mask 0" -> "Mask%200"). 8.40.2:L2 Automatic License installation is temporary is missing when installing ACAPs in the new web-interface. This was possible in classic web-interface. 8.40.2:L3 The rotate image drop-down list is partially hidden for Internet Explorer 11. 8.40.2:L4 Video Streaming (MJPEG, H264) in latest Internet Explorer 11 via IPv6 does not work. Working good in Chrome, Edge, Firefox. 8.40.2:L5 It is recommended to refresh the browser page (F5) when a OSDI zone is deleted as the control buttons (Add, Modify, Enable/Disable, Remove) will disappear after doing so. 8.40.2:L6 The license expiration date of an installed ACAP is not shown when running http ://ip-address/axis-cgi/applications/list.cgi. 8.40.2:L7 Connecting to a camera will fail and result in "Unauthorized" message due to an bug in Microsoft Edge 40 browser. This will be corrected by Microsoft in the next version of Edge 41. 8.40.2:L8 An overlay text (e.g. date/time modifier) that has been configured in the classic web-interface will be still shown in the new web-interface even though a user might have disabled the overlay text there after firmware update. A user need to disable the overlay text in the Plain config. Untick the checkboxes for Image Ix Text -> ClockEnabled and DateEnabled. 8.40.2:L9 Zooming using the mouse wheel does not work in LiveView. 8.40.2:L11 Corrected an issue that could cause the camera to become unresponsive in rare occasions when connected to an AVHS system. 8.40.2:L12 Corrected an issue that made it necessary to login twice when connecting to the web-interface using Microsoft Edge. 8.40.2:L13 Corrected an issue that prevented the use of the whole sensor width for some aspect ratios. 8.40.2:L14 When the camera is restored, the time zone is not saved meaning that it will be set to GMT 0. 8.40.2:L15 When upgrading the camera, the maximum resolution could be incorrect. 8.40.2:L16 It is recommend to refresh the browser with F5 after doing a FW upgrade from FW 6.xx to 8.xx or higher in order to show all the new settings in the web- interface. 8.40.2:L17 The help text for the Leveling guide is missing. 8.40.2:L18 When setting exposure zone assure that rotation is set to 0 degrees. After completed exposure zone configuration, set rotation to a desired value. Supported AXIS VAPIX API Image Resolutions for AXIS P3905-R-MkII ================================================================================ Resolution Exceptions ========== ========== 1920x1080 2) 1280x720 800x450 640x360 480x270 320x180 1280x960 1) 2) 1024x768 1) 2) 1024x640 1) 3) 1024x576 1) 800x600 1) 768x576 1) 720x576 1) 704x576 1) 704x480 1) 640x480 1) 640x400 1) 3) 704x288 1) 480x360 1) 704x240 1) 480x300 1) 3) 384x288 1) 352x288 1) 352x240 1) 320x240 1) 320x200 1) 3) 240x180 1) 240x135 1) 3) 192x144 1) 176x144 1) 176x120 1) 160x120 1) 160x100 1) 3) 160x90 1) analyze 1) 80x50 1) 3) 1) Not visible in web user interface 2) 1080p 3) 720p