FIRMWARE RELEASE NOTE ====================== Products affected: AXIS P3905-R-MkII Release date: 2022-05-06 Release type: Production Firmware version: 8.40.4.5 Preceding release: 8.40.4.4 -------------------------------------------------------------------------------- This is the LTS-2018 track. Upgrade instructions ==================== Upgrade the firmware according to the instructions given at https://www.axis.com/ca/en/support/technical-notes/how-to-upgrade or howtoupgrade.txt, which is included in the firmware folder. NOTE ==================== For latest information about Axis Cybersecurity, see https://www.axis.com/se/sv/support/product-security. Corrections in 8.40.4.5 since 8.40.4.4 ======================================= 8.40.4.5:C01 General improvements to the LTS-2018 platform. 8.40.4.5:C02 Corrected CVE-2018-25032. 8.40.4.5:C03 Improved memory management in the network services daemon. 8.40.4.5:C04 Updated OpenSSL to version 1.1.1o to increase the overall cybersecurity level. 8.40.4.5:C05 Corrected an issue that caused the Send images event to stop uploading towards a FTP server when the filename included a space (" "). 8.40.4.5:C06 Updated wpa-supplicant to version 2.10 to increase overall minimum cybersecurity level. 8.40.4.5:C07 Receiving ICMP redirects from other network hosts are now disabled to increase overall minimum cybersecurity level. 8.40.4.5:C08 Upgraded Apache to version 2.4.53 to increase overall cybersecurity level. Corrections in 8.40.4.4 since 8.40.4.3 ======================================= 8.40.4.4:C01 General improvements to the LTS-2018 platform. 8.40.4.4:C02 Corrected an issue that prevented firmware upgrade from LTS-2016. 8.40.4.4:C03 Updated OpenSSL to version 1.1.1m to increase the overall cybersecurity level. 8.40.4.4:C04 Improved handling of empty recordings. 8.40.4.4:C05 Upgraded Curl to version 7.79.1 to increase overall cybersecurity level. 8.40.4.4:C06 Upgraded Apache to version 2.4.52 to increase overall cybersecurity level. 8.40.4.4:C07 The Remote Syslog configuration is now preserved during a firmware update within the same firmware track. Corrections in 8.40.4.3 since 8.40.4.2 ======================================= 8.40.4.3:C01 General improvements to the LTS-2018 platform. 8.40.4.3:C02 Corrected an issue that did not account for MTU packet fragmentation for IEEE 802.1x authentication. Previously the Axis device was not able to authenticate properly against an 802.1x network when the MTU was configured to 1410 or lower. 8.40.4.3:C03 Corrected CVE-2021-27219. 8.40.4.3:C04 Corrected CVE-2021-31987. 8.40.4.3:C05 Corrected CVE-2021-27218. 8.40.4.3:C06 Corrected CVE-2019-12450. 8.40.4.3:C07 Corrected an issue that in combination with some VMSes and low resolution could cause brief disconnections in the video stream. 8.40.4.3:C08 Corrected an issue that interrupted the NTP-time-sync between the Axis device and NTP- server when the NTP-server was operating instable and suffered fluctuating time-changes. 8.40.4.3:C09 Corrected an issue that could cause an RTSP stream to stop after 60+ seconds if streamed to an openRTSP client. 8.40.4.3:C10 Updated Apache to version 2.4.48 to increase overall cybersecurity level. 8.40.4.3:C11 Updated OpenSSH to version 8.6p1 to increase the overall minimum cybersecurity level. 8.40.4.3:C12 Updated OpenSSL to version 1.1.1l to increase overall cyber security level. 8.40.4.3:C13 Corrected CVE-2021-31986. 8.40.4.3:C14 Corrected nice names for the PreventDoSAttack parameters in Settings -> System -> Plain Config-> System -> PreventDoSAttack. 8.40.4.3:C15 Extended the 802.1x EAP-Identity field character limit from 32 to 128 characters. 8.40.4.3:C16 Corrected an issue that caused images to be unusually dark when using WDR mode. 8.40.4.3:C17 Improved memory management in the DHCP lease update daemon. 8.40.4.3:C18 Corrected an issue that prevented streaming in "always-multicast mode" on rare occasions. 8.40.4.3:C19 Corrected CVE-2021-31988. 8.40.4.3:C20 Corrected an issue that prevented the Axis device to respond with "HTTP 403 Forbidden" when the source-ip address was blocked when using PreventDOSAttack in Plain Config -> System. Previously "HTTP 401 Unauthorized" was returned. 8.40.4.3:C21 Improved memory management in the network services daemon. 8.40.4.3:C22 Updated curl to version 7.78.0 to increase overall cybersecurity level. Corrections in 8.40.4.2 since 8.40.4.1 ======================================= 8.40.4.2:C01 General improvements to the LTS-2018 platform. 8.40.4.2:C02 Corrected an issue that caused IEEE 802.1x network authentication to fail sometimes after unexpected reboots. 8.40.4.2:C03 Improved Link Layer Discovery Protocol (LLDP) system stability. 8.40.4.2:C04 Corrected an issue that caused the value of Quality of Service (QoS) to not be respected in always multicast mode. 8.40.4.2:C05 Updated curl to version 7.73.0 to increase overall cybersecurity level. 8.40.4.2:C06 Corrected an issue that caused PKCS#12-formatted certificate uploads to fail when certain special characters were used as a password. 8.40.4.2:C07 Corrected an issue in oak.cgi that could cause invalid requests. 8.40.4.2:C08 Updated OpenSSL to version 1.1.1k to fix CVE-2021-3449 and CVE-2021-3450. 8.40.4.2:C09 Added support for Micron SD Card Health Monitoring. Corrections in 8.40.4.1 since 8.40.4 ===================================== 8.40.4.1:C01 General improvements to the LTS-2018 platform. 8.40.4.1:C02 Reduced time to built-up an RTSP video stream by 30% and more. 8.40.4.1:C03 Corrected an issue that caused distorted h265 streams on rare occasions. 8.40.4.1:C04 Added support for HTTP Strict Transport Security (HSTS) when using HTTPS. 8.40.4.1:C05 Updated Apache to version 2.4.46 to increase overall cyber security level. 8.40.4.1:C06 Corrected an issue that caused an error message to pop-up when pressing the test button of an event using HTTP recipients. Corrections in 8.40.4 since 8.40.3.3 ===================================== 8.40.4:C01 General improvements to the LTS 2018 platform. 8.40.4:C02 Corrected an issue that caused old recordings to not be removed after their retention period was expired. 8.40.4:C03 Updated curl to version 7.69.1 to increase overall cybersecurity level. 8.40.4:C04 Corrected a streaming issue to handle timestamps correctly after a RTSP:PAUSE/RESUME event. This could cause gaps in recordings when using Axis Media Control (AMC). 8.40.4:C05 Disabled the HTTP Options method in the Apache webserver replies to increase overall cyber security level. 8.40.4:C06 Added possibility to retrieve the device Owner Authentication Key (OAK) in the web GUI. Note that this functionality requires that the product have direct access to the internet. 8.40.4:C07 Updated OpenSSL to version 1.1.1g to increase overall cybersecurity level. 8.40.4:C08 Updated Apache to version 2.4.43 to increase overall cybersecurity level. Corrections in 8.40.3.3 since 8.40.3.2 ======================================= 8.40.3.3:C01 General improvements to the 2018 LTS platform. 8.40.3.3:C02 Added ProxyDispatcherOnly option to the O3C/AVHS client that can control proxy configurations of dispatcher services. 8.40.3.3:C03 Corrected an issue that on some occasions could cause an H.264 stream to stall after a while if viewed in the browser. 8.40.3.3:C04 Corrected ONVIF response for WSPullPointSupport. Corrections in 8.40.3.2 since 8.40.3.1 ======================================= 8.40.3.2:C01 General improvements to the 2018 LTS platform. 8.40.3.2:C02 Corrected Vendor class identifier for DHCP negotiation. 8.40.3.2:C03 Updated curl to version 7.68.0 to increase the minimum cybersecurity level. 8.40.3.2:C04 Corrected an issue that prevented the device from resolving DNS hostnames when used in combination with SNMP. 8.40.3.2:C05 Added the option to disable Web-Service Discovery (WS-Discovery) protocol in Plain Config. 8.40.3.2:C06 Corrected an issue that caused the test recipient button in the Web GUI to not work properly when setting up an event mail recipient. 8.40.3.2:C07 Corrected an issue that caused multicast redirection to fail on rare occasions. 8.40.3.2:C08 Updated Linux kernel to version 4.9.197 to increase the minimum cybersecurity level. 8.40.3.2:C09 Corrected an issue that prevented the user from exporting recordings when the product was configured to Alaska timezone. 8.40.3.2:C10 Corrected an issue that caused the EAP-START package not to be sent during IEEE 802.1x port authentication upon network link state change. 8.40.3.2:C11 Updated wpa-supplicant to version 2.9 and hostapd to version 2.9 to increase overall minimum cyber security level. Corrections for the following security vulnerabilities are included: CVE-2019-13377 CVE-2019-16275. 8.40.3.2:C12 Corrected a streaming issue affecting RTSP tunneled via HTTPs. Corrections in 8.40.3.1 since 8.40.3 ===================================== 8.40.3.1:C01 General improvements to the 2018 LTS platform. 8.40.3.1:C02 Corrected an issue that on rare occasions caused the image to go grey when streaming JPEG. 8.40.3.1:C03 Corrected an issue that caused playback from a SD card of recorded MKV files with audio to fail on rare occasions. 8.40.3.1:C04 Corrected an issue with the resolution on the ONVIF command getstatus (PTZ). 8.40.3.1:C05 Corrected an issue that caused a reboot of the camera to start an ACAP even though STARTMODE=never was set in its configuration. 8.40.3.1:C06 Corrected an issue that made it possible to add an action rule recipient without nice-name via API. 8.40.3.1:C07 Updated OpenSSL to version 1.1.1d to increase overall minimum cyber security level. 8.40.3.1:C08 Corrected an issue that caused param.cgi to show password in plain text when listing a specified ACAP parameter. 8.40.3.1:C09 Corrected a streaming issue that caused the RTSP server to omit the RTP-info header on rare occasions. 8.40.3.1:C10 Corrected an issue that caused time in recording list to be incorrect for America/Caracas, Africa/Cairo and Asia/Baku. 8.40.3.1:C11 Updated Apache to version 2.4.41 to increase overall minimum cyber security level. 8.40.3.1:C12 Corrected an issue that caused fan status not to be reported correctly via SNMP. 8.40.3.1:C13 Corrected an issue that caused parameter hidden:on_off in the Axis ACAP SDK to not work properly. 8.40.3.1:C14 Corrected an issue that caused a log in pop-up to appear in the WebGUI after a factory default even though no users had been configured yet. 8.40.3.1:C15 Added support for health status from Western Digital SD-cards. 8.40.3.1:C16 Corrected an issue that caused the capture_open_stream API in the Axis ACAP SDK to not work properly. Corrections in 8.40.3 since 8.40.2.3 ===================================== 8.40.3:C01 General minor improvements to the 8.40 LTS platform. 8.40.3:C02 Removed the root users default password in factory defaulted firmware. The password of the root user must be set first in order to initialize VAPIX and ONVIF interfaces to allow further configuration. This change only affects products in its factory defaulted state, products that are already deployed in production systems are not affected by this update until factory defaulted. 8.40.3:C03 Update libssh2 to version 1.9.0 to increase overall minimum cyber security level. This update includes correction for CVE-2019-13115. Corrections in 8.40.2.3 since 8.40.2.2 ======================================= 8.40.2.3:C01 General minor improvements to the 8.40 LTS platform. 8.40.2.3:C02 Corrected the following kernel vulnerabilities to increase overall minimum cyber security level (collectively known as "TCP SACK PANIC"): CVE-2019-11477, CVE-2019-11478, CVE-2019-11479. 8.40.2.3:C03 Corrected an issue that caused problems accessing devices via O3C/Axis Guardian using Microsoft Edge browser. 8.40.2.3:C04 Improved the certificate management system: It is now possible to upload PKCS#12 certificates with a total size of 102400 bytes. The previous limit was 1/10 of it. 8.40.2.3:C05 Corrected an issue that caused some users not to be displayed in the webGUI's user list on rare occasions. 8.40.2.3:C06 Improved the certificate management system: added support for certificate IDs with long names. 8.40.2.3:C07 Updated openSSL to version 1.1.1c to increase overall minimum cyber security level. 8.40.2.3:C08 Added support for TLSv1.3. 8.40.2.3:C09 Corrected security vulnerability in Systemd CVE-2019-6454 to increase overall minimum cyber security level. 8.40.2.3:C10 Improved the certificate management system: added system log information for failing certificate upload. 8.40.2.3:C11 Corrected an issue that caused SMB connection problems to NetApp NAS configured for SMBv2. 8.40.2.3:C12 Updated libssh2 to version 1.8.2 due to that version 1.8.1 broke publickey-userauth requests. 8.40.2.3:C13 Corrected an issue that caused images to be unusually dark in WDR mode on rare occasions. 8.40.2.3:C14 Corrected an issue that caused view areas, set in the web GUI, not to be preserved after changing camera resolution. Corrections in 8.40.2.2 since 8.40.2.1 ======================================= 8.40.2.2:C01 General minor improvements to the 8.40 LTS platform. 8.40.2.2:C02 Updated Apache to version 2.4.39 to increase overall minimum cyber security level. 8.40.2.2:C03 Improved robustness of the O3C client. 8.40.2.2:C04 Updated OpenSSL to version 1.1.1b to increase overall minimum cyber security level. 8.40.2.2:C05 Updated OpenSSH to version 7.9p to increase overall minimum cyber security level. 8.40.2.2:C06 Added information about Certificate ID to the Installed Certificates section in the server report. Corrections in 8.40.2.1 since 8.40.2 ===================================== 8.40.2.1:C01 Corrected an issue with sensor settings causing loss of image. Corrections in 8.40.2 since 8.40.1.2 ===================================== 8.40.2:C01 General minor improvements to the 8.40 LTS platform. 8.40.2:C02 Corrected the following security vulnerabilities to increase overall minimum cyber security level: CVE-2019-3855, CVE-2019-3856, CVE-2019-3857, CVE-2019-3858, CVE-2019-3859, CVE-2019-3860, CVE-2019-3861, CVE-2019-3862, CVE-2019-3863. 8.40.2:C03 Corrected security vulnerability CVE-2019-0217 in Apache to increase overall minimum cyber security level. 8.40.2:C04 Corrected security vulnerability CVE-2017-16544 in BusyBox to increase overall minimum cyber security level. 8.40.2:C05 Corrected an issue that caused a viewer user to not be able to obtain the list of image resolution properties via param.cgi. 8.40.2:C06 Corrected an issue in the Web-GUI that prevented to upload a Client Certificate or CA certificate using the Edge browser. 8.40.2:C07 Updated pre-installed Mozilla CA-certificates to versions available at 20190122. 8.40.2:C08 Added GOP Length option to the Stream Profile Settings. 8.40.2:C09 Corrected the following vulnerabilities in order to increase overall minimum cybersecurity level: CVE-2018-16864, CVE-2018-16865, CVE-2018-16866. 8.40.2:C10 Updated OpenSSL to version 1.0.2r to increase overall minimum cyber security level. 8.40.2:C11 Corrected an issue with timestamps in the RTCP Sender Report that could cause RTSP recordings/playbacks not to work correctly in some video players using the Live555 library such as VLC and ffmpeg. Corrections in 8.40.1.2 since 8.40.1.1 ======================================= 8.40.1.2:C01 General minor improvements to the 8.40 LTS platform. 8.40.1.2:C02 Corrected an issue in the web GUI when creating a preset position and the language was set to German. 8.40.1.2:C03 Corrected an issue that could cause the camera to get unresponsive when two clients are streaming over multicast using the same streaming parameters. 8.40.1.2:C04 Upgraded Apache to version 2.4.38 to increase overall minimum cyber security level. 8.40.1.2:C05 Corrected an issue with Always Multicast over IPv6. 8.40.1.2:C06 Corrected an issue that caused factory default settings to not be applied correctly when upgrading from a firmware version prior to 6.20. 8.40.1.2:C07 Corrected an issue in the web GUI that caused IO Port values to be displayed incorrectly. 8.40.1.2:C08 Corrected an issue that caused Recorded Guard Tour not to work properly on rare occasions. 8.40.1.2:C09 Improved re-connection behavior to AVHS server. The time between failed connection attempts will now gradually increase until a hard limit is reached. New features in 8.40.1.1 ================================================================================ 8.40.1.1:F1 The FTP Server is now disabled by default as it is not used during normal operation and may pose a security risk.The FTP Server may be enabled during advanced maintenance or troubleshooting in Settings -> System -> PlainConfig -> Network. 8.40.1.1:F2 Support for Brute Force Delay Protection. The product can block a client for a period of time if too many login attempts failed. Brute Force Delay Protection can be configured under System -> PlainConfig -> System -> System PreventDoSAttack. 8.40.1.1:F3 The former user group selections for HTTPS Connection Policy (administrator, operator, viewer) have been merged to one single HTTPS Connection Policy. 8.40.1.1:F4 New web-interface with improved usability and broader support of web-clients and operating systems. For more information please see https://www.axis.com/global/en/support/technical-notes/browser-support. 8.40.1.1:F5 The new web-interface supports 12 different pre-installed languages which will be chosen automatically based on browser settings. Uploading individual language files is not needed anymore. Supported Languages: English - German - French - Spanish - Italian - Portugese - Polish - Russian - Japanese - Chinese (Mainland) - Chinese (Taiwan) - Korean 8.40.1.1:F6 Support for automatic license key installation when installing an ACAP under Settings -> Apps. 8.40.1.1:F7 The new web-interface is notifying the viewer in the Live View that the video stream lags and recommends to may refresh the browser or restart the video stream manually. However, the web-interface is automatically refreshing the video stream in case the video lag increases too much. Lagging video streams can be caused by outdated browser versions or insufficient computer performance. 8.40.1.1:F8 The following features have been added to the new web-interface: Image: - BDC (Barrell Distortion Correction) - Backfocus Configuration Settings: - SNMP Live View: - Local Video Recording to Computer View Areas: - Auto select best matching resolution/aspect ratio 8.40.1.1:F9 Pressing "Download the server report" in System -> Maintenance will now automatically attach a snapshot of the image to the .zip file in order to simplify support. 8.40.1.1:F10 Support for SRTP (Encrypted Video Streaming) according to RFC 3711. The cameras video stream can be received via secure end-to-end encrypted transportation method only by authorized clients. 8.40.1.1:F11 A parameter called "Enable the script editor (editcgi)" has been added to plain config -> system section to enable/disable the feature. Editcgi will be removed in future completely and function is considered deprecated. 8.40.1.1:F12 Support for Adaptive Resolution. Adaptive Resolution is enabled per default and takes only effect when viewing live stream in the web-interface. The viewing client will receive a image resolution that is adapted or close to the viewing clients real display resolution to higher the user experience. 8.40.1.1:F13 Support for Zipstream Dynamic FPS - Lower Limit Support for Zipstream Dynamic GOP - Upper Limit It is now possible to further adjust and set limits for Dynamic FPS and Dynamic GOP settings and can be configured under Stream settings -> Zipstream. 8.40.1.1:F14 Support for Flash All/Factory Default while performing a firmware update. It is now possible to select an option that will factory default the camera after a firmware update/downgrade has been performed under Settings -> System -> Maintenance. 8.40.1.1:F15 Added a link under Settings -> Apps for the user to get fast-access to information about available ACAPs on www.axis.com/products/analytics-and-other- applications. 8.40.1.1:F16 Support for Password Security Confirmation Check. To increase overall cybersecurity awareness, a user-configured password that is considered "weak" need to be confirmed actively twice by the user. 8.40.1.1:F17 Changed the default setting of SRTP to disabled in order to reduce the number of ports opened by default. 8.40.1.1:F18 AXIS Video Motion Detection 4.2.4 is now pre-installed. 8.40.1.1:F29 Prepared support for signed firmware to increase overall cyber security level. It is planned that the product will only accept AXIS security-signed firmware starting in Q1/Q2 2019 and onwards. 8.40.1.1:F20 Updated Apache to version 2.4.35 to increase overall minimum cyber security level. 8.40.1.1:F21 Updated to OpenSSL version 1.0.2p to increase overall minimum cyber security level. Corrections in 8.40.1.1 ================================================================================ 8.40.1.1:C1 Corrected a bug that denied the access to the camera when AXIS Companion / Remote Access is used when web server connection policy was set to "HTTPS only". 8.40.1.1:C2 It is now possible to fast forward/rewind to any time in a selected recording using the web interface. 8.40.1.1:C3 It is now possible to encrypt SD card from Mozilla Firefox. 8.40.1.1:C4 Corrected an issue that caused the camera to stop streaming on rare occasions. 8.40.1.1:C5 Corrected an issue in the event system that prevented the camera from re-sending the SMTP notification every 10 seconds in case the receiving server reported an error. 8.40.1.1:C6 The web-interface is showing now the correct day selection of a Axis Companion configured time schedule. Previously the Sunday was unchecked every time when minimum one more day was not selected too. 8.40.1.1:C7 Corrected a issue resulting in 503 Service Unavailable when trying to play a recording from a camera with a specific time range via ONVIF. 8.40.1.1:C8 Corrected an issue with an additional sign / in the absolute upload path of an SFTP Recipient when saving the action rule causing it to not work correctly. 8.40.1.1:C9 Corrected an issue when an ONVIF client connected to the camera via digest authentication. 8.40.1.1:C10 Fixed memory leak in wsd daemon that e.g. handles ONVIF requests. 8.40.1.1:C11 Reduced the waiting time for receiving a video stream significantly when a 2nd client requests a video stream via multicast. 8.40.1.1:C12 Fixed critical vulnerability ACV-116267. 8.40.1.1:C13 The area zoom functionality has been removed from the web-interface. Area zoom was used to draw a rectangle in the live view to let the camera either mechanical or digital PTZ to its desired position. 8.40.1.1:C14 Corrected an issue that delivered E-Mails send from the camera with a wrong time stamp in the e-mail header. 8.40.1.1:C15 Corrected an issue with FTP recipients configured with a DNS name instead of a static IP-address which caused the FTP recipient test or action rule to fail. 8.40.1.1:C16 Corrected an issue that let the recorded video to the computer using the Video Capture button be incorrectly displayed or unusable in some rare occasions. 8.40.1.1:C17 Corrected security vulnerability CVE-2016-2147 and CVE-2016-2148. 8.40.1.1:C18 Corrected critical vulnerability ACV-120444. 8.40.1.1:C19 Corrected an issue that let a configured overlay disappear when switching to Image or View Area Tab. 8.40.1.1:C20 Corrected an issue that required the user to enter login credentials when anonymous viewer is enabled. 8.40.1.1:C21 Corrected an issue that prevented trigger data to be inserted in every I-frame and when motion detection triggers. 8.40.1.1:C22 Corrected an issue that could cause noise in images in rare occasions. 8.40.1.1:C23 Corrected critical vulnerability ACV-128401. 8.40.1.1:C24 Corrected an issue that caused the image to be cut off in full screen mode in the live view when rotated 90 or 270 degrees. 8.40.1.1:C25 Corrected an issue with the AXIS event handler registration for ADP partners. 8.40.1.1:C26 Corrected an issue that caused the camera to become unreachable via link local address in the network when connecting client was in another subnet. 8.40.1.1:C27 Corrected an issue that caused the camera to become unresponsive on rare occasions when running ACAPs without specified ApplicationId. 8.40.1.1:C28 Increased user awareness when converting legacy overlays to dynamic overlays. A restart of ongoing recordings is required after overlay conversion. 8.40.1.1:C29 Corrected an issue with the Axis event handling interface when deactivating events. 8.40.1.1:C30 Added selection boxes for disabling TLSv1.0 and TLSv1.1 in Settings -> System -> PlainConfig -> HTTPS to enforce the highest possible TLS version for HTTPS-based connections. 8.40.1.1:C31 Corrected an issue in the ACAP framework that caused installed ACAPs to become unresponsive and the Apps tab not to be shown correctly. 8.40.1.1:C32 Corrected an issue that caused AXIS Perimeter Defender or SafeZoneEdge to stop working after a firmware upgrade. 8.40.1.1:C33 Corrected an issue that could cause the configuration file upload from ADM to camera to fail. 8.40.1.1:C34 Patched security vulnerability CVE-2018-5390 to increase overall minimum cyber security level. 8.40.1.1:C35 Corrected an issue that prevented the user from receiving the correct recording list in AXIS Companion in combination with view areas or multi-sensor products. 8.40.1.1:C36 Patched security vulernability CVE-2018-14526 to increase overall minimum cyber security level. 8.40.1.1:C37 Corrected an issue that prevented the user to video stream to two multicast destinations with the same port range. 8.40.1.1:C38 Corrected an issue that could cause incorrect snapshot resolutions on view areas. 8.40.1.1:C39 Patched security vulernability CVE-2018-17182 to increase overall minimum cyber security level. 8.40.1.1:C40 Patched the following security vulnerabilities to increase overall minimum cyber security level: CVE-2018-10876 - CVE-2018-10877 CVE-2018-10878 - CVE-2018-10879 CVE-2018-10880 - CVE-2018-10881 CVE-2018-10882 - CVE-2018-10883 8.40.1.1:C41 Corrected an issue that caused an HTTP-recipient based action rule to fail when the response from the server excluded the textual phrase (Example: HTTP 200). This will work now. 8.40.1.1:C42 Corrected an issue that corrupted the file integrity of a JPEG image without any further impact to the visible image quality. 8.40.1.1:C43 Corrected an issue that prevented the user from uploading a certificate that contains "Bag Attributes" before and after the actual certificate content. 8.40.1.1:C44 Corrected an issue that was showing "User Defined" or "User Defined 20000000" in the shutter list. 8.40.1.1:C45 Corrected an issue that could cause the camera to become unresponsive in rare occasions when connected to an AVHS system. 8.40.1.1:C46 Corrected security vulnerability CVE-2017-9798. 8.40.1.1:C47 Corrected an issue that made it necessary to login twice when connecting to the web-interface using Microsoft Edge. 8.40.1.1:C48 Corrected an issue that prevented the use of the whole sensor width for some aspect ratios. 8.40.1.1:C49 Corrected an issue that prevented the user from formatting SD cards and the web- interface to show incorrect information about network share status in Settings -> System -> Storage. 8.40.1.1:C50 Corrected an issue that could cause a network share to become read-only. Known Bugs/Limitations ================================================================================ 8.40.3:L1 Privacys masks names that have been created in the classic web-interface may have a malformed name in the new web-interface (e.g. "Mask 0" -> "Mask%200"). 8.40.3:L2 Automatic License installation is temporary is missing when installing ACAPs in the new web-interface. This was possible in classic web-interface. 8.40.3:L3 The rotate image drop-down list is partially hidden for Internet Explorer 11. 8.40.3:L4 Video Streaming (MJPEG, H264) in latest Internet Explorer 11 via IPv6 does not work. Working good in Chrome, Edge, Firefox. 8.40.3:L5 It is recommended to refresh the browser page (F5) when a OSDI zone is deleted as the control buttons (Add, Modify, Enable/Disable, Remove) will disappear after doing so. 8.40.3:L6 The license expiration date of an installed ACAP is not shown when running http ://ip-address/axis-cgi/applications/list.cgi. 8.40.3:L7 Connecting to a camera will fail and result in "Unauthorized" message due to an bug in Microsoft Edge 40 browser. This will be corrected by Microsoft in the next version of Edge 41. 8.40.3:L8 An overlay text (e.g. date/time modifier) that has been configured in the classic web-interface will be still shown in the new web-interface even though a user might have disabled the overlay text there after firmware update. A user need to disable the overlay text in the Plain config. Untick the checkboxes for Image Ix Text -> ClockEnabled and DateEnabled. 8.40.3:L9 Zooming using the mouse wheel does not work in LiveView. 8.40.3:L11 Corrected an issue that could cause the camera to become unresponsive in rare occasions when connected to an AVHS system. 8.40.3:L12 Corrected an issue that made it necessary to login twice when connecting to the web-interface using Microsoft Edge. 8.40.3:L13 Corrected an issue that prevented the use of the whole sensor width for some aspect ratios. 8.40.3:L14 When the camera is restored, the time zone is not saved meaning that it will be set to GMT 0. 8.40.3:L15 When upgrading the camera, the maximum resolution could be incorrect. 8.40.3:L16 It is recommend to refresh the browser with F5 after doing a FW upgrade from FW 6.xx to 8.xx or higher in order to show all the new settings in the web- interface. 8.40.3:L17 The help text for the Leveling guide is missing. 8.40.3:L18 When setting exposure zone assure that rotation is set to 0 degrees. After completed exposure zone configuration, set rotation to a desired value. Supported AXIS VAPIX API Image Resolutions for AXIS P3905-R-MkII ================================================================================ Resolution Exceptions ========== ========== 1920x1080 2) 1280x720 800x450 640x360 480x270 320x180 1280x960 1) 2) 1024x768 1) 2) 1024x640 1) 3) 1024x576 1) 800x600 1) 768x576 1) 720x576 1) 704x576 1) 704x480 1) 640x480 1) 640x400 1) 3) 704x288 1) 480x360 1) 704x240 1) 480x300 1) 3) 384x288 1) 352x288 1) 352x240 1) 320x240 1) 320x200 1) 3) 240x180 1) 192x144 1) 176x144 1) 176x120 1) 160x120 1) 160x100 1) 3) 160x90 1) analyze 1) 80x50 1) 3) 1) Not visible in web user interface 2) 1080p 3) 720p Known Bugs/Limitations ================================================================================ 8.40.3:L1 Privacys masks names that have been created in the classic web-interface may have a malformed name in the new web-interface (e.g. "Mask 0" -> "Mask%200"). 8.40.3:L2 Automatic License installation is temporary is missing when installing ACAPs in the new web-interface. This was possible in classic web-interface. 8.40.3:L3 The rotate image drop-down list is partially hidden for Internet Explorer 11. 8.40.3:L4 Video Streaming (MJPEG, H264) in latest Internet Explorer 11 via IPv6 does not work. Working good in Chrome, Edge, Firefox. 8.40.3:L5 It is recommended to refresh the browser page (F5) when a OSDI zone is deleted as the control buttons (Add, Modify, Enable/Disable, Remove) will disappear after doing so. 8.40.3:L6 The license expiration date of an installed ACAP is not shown when running http ://ip-address/axis-cgi/applications/list.cgi. 8.40.3:L7 Connecting to a camera will fail and result in "Unauthorized" message due to an bug in Microsoft Edge 40 browser. This will be corrected by Microsoft in the next version of Edge 41. 8.40.3:L8 An overlay text (e.g. date/time modifier) that has been configured in the classic web-interface will be still shown in the new web-interface even though a user might have disabled the overlay text there after firmware update. A user need to disable the overlay text in the Plain config. Untick the checkboxes for Image Ix Text -> ClockEnabled and DateEnabled. 8.40.3:L9 Zooming using the mouse wheel does not work in LiveView. 8.40.3:L11 Corrected an issue that could cause the camera to become unresponsive in rare occasions when connected to an AVHS system. 8.40.3:L12 Corrected an issue that made it necessary to login twice when connecting to the web-interface using Microsoft Edge. 8.40.3:L13 Corrected an issue that prevented the use of the whole sensor width for some aspect ratios. 8.40.3:L14 When the camera is restored, the time zone is not saved meaning that it will be set to GMT 0. 8.40.3:L15 When upgrading the camera, the maximum resolution could be incorrect. 8.40.3:L16 It is recommend to refresh the browser with F5 after doing a FW upgrade from FW 6.xx to 8.xx or higher in order to show all the new settings in the web- interface. 8.40.3:L17 The help text for the Leveling guide is missing. 8.40.3:L18 When setting exposure zone assure that rotation is set to 0 degrees. After completed exposure zone configuration, set rotation to a desired value. Supported AXIS VAPIX API Image Resolutions for AXIS P3905-R-MkII ================================================================================ Resolution Exceptions ========== ========== 1920x1080 2) 1280x720 800x450 640x360 480x270 320x180 1280x960 1) 2) 1280x800 1024x768 2) 1024x640 3) 1024x576 1) 800x600 800x500 768x576 1) 720x576 1) 704x576 1) 704x480 1) 640x480 640x400 3) 704x288 1) 480x360 704x240 1) 480x300 3) 384x288 1) 352x288 1) 352x240 1) 320x240 320x200 3) 240x180 240x135 1) 3) 192x144 1) 176x144 176x120 1) 160x120 160x100 3) 160x90 analyze 1) 80x50 1) 3) 1) Not visible in web user interface 2) 1080p 3) 720p