FIRMWARE RELEASE NOTE ===================== Products affected: AXIS V5914 Release date: 2021-12-17 Release type: Production Firmware version: 8.45.3.3 Preceding release: 8.45.3.2 -------------------------------------------------------------------------------- Upgrade instructions ==================== Upgrade the firmware according to the instructions given at https://www.axis.com/ca/en/support/tecnical-notes/how-to-upgrade or howtoupgrade.txt, which is included in the firmware folder. NOTE ==================== For latest information about Axis Cybersecurity, see https://www.axis.com/se/sv/support/product-security. BEFORE upgrading from 5.75.1.13 please note the following IMPORTANT INFORMATION: As this is a very large step in Firmware versions, a Factory Default or Factory Restore of the camera is required after the update in order to ensure full functionality. This can be done via the web interface. Go to Settings > Sytem > Maintenance. More information on performing a Factory Reset can be found in the User Manual. Corrections in 8.45.3.3 since 8.45.3.2 ======================================= 8.45.3.3:C01 General improvements to the 2018 LTS platform. 8.45.3.3:C02 Added ProxyDispatcherOnly option to the O3C/AVHS client that can control proxy configurations of dispatcher services. 8.45.3.3:C03 Corrected an issue that on some occasions could cause an H.264 stream to stall after a while if viewed in the browser. 8.45.3.3:C04 Corrected ONVIF response for WSPullPointSupport. 8.45.3.3:C05 Upgraded to OpenSSL 1.1.1l. 8.45.3.3:C06 Upgraded Apache to version 2.4.51. 8.45.3.3:C07 Corrected CVE-2021-31986. 8.45.3.3:C08 Corrected CVE-2021-31987. 8.45.3.3:C09 Corrected CVE-2021-31988. Corrections in 8.45.3.2 ================================================================================ 8.45.3.2:C1 Improved stability when using longer SDI cables. Features in 8.45.3.1 ================================================================================ 8.45.3.1:F1 Updated curl to version 7.68.0 to increase the minimum cybersecurity level Features in 8.45.3 ================================================================================ 8.45.3:F1 Axis Zipstream now supported for reduced bandwidth and storage requirements. 8.45.3:F2 Added support for ONVIF Audio Backchannel. 8.45.3:F3 New web-interface with improved usability and broader support of web-clients and operating systems. For more information please see https://www.axis.com/global/en/support/technical-notes/browser-support. 8.45.3:F4 CamStreamer ACAP updated to 3.4.2. 8.45.3:F5 Added support for AES-CBC 256-bit SD card encryption. 8.45.3:F6 Axis Video Motion Detection updated to 4.2.5. 8.45.3:F7 Added a new section "Snapshot of current CPU utilization" that prints information about CPU utilization and memory consumption of processes in the server report. 8.45.3:F8 Changed the default timeout of HTTP-Recipient based action rules from 10s to 120s to compensate for unstable networks or slow clients. After the timeout is reached, the action rule will be re-tried. 8.45.3:F9 Added the possibility for the user to share anonymous usage data with AXIS developers. 8.45.3:F10 Added support for automatically negotiating the preferred SMB protocol version with SMB 2.1 or higher in order to increase the overall minimum cybersecurity level. Please refer to the follwing FAQ for more information -> https://www.axis.com/support/faq/FAQ116392. 8.45.3:F11 Added support for ONVIF Audio Backchannel with support for G711 and G726 audio codec. Cameras are able to retrieve audio while sending an audio capable video stream with metadata in the same RTSP session. 8.45.3:F12 Updated OpenEmbedded to version Poky Rocko to increase overall cyber security level. 8.45.3:F13 Updated the maximum number of recipients for action rules to 20 from 10. 8.45.3:F14 Changed the default setting of SRTP to disabled in order to reduce the number of ports opened by default. 8.45.3:F15 Prepared support for signed firmware to increase overall cyber security level. It is planned that the product will only accept AXIS security-signed firmware starting in Q1/Q2 2019 and onwards. 8.45.3:F16 The possibility to edit scripts in camera has been disabled per default in order to increase minimum cyber security level. 8.45.3:F17 Updated NTP server (openntpd) to version 6.2p3. 8.45.3:F18 Added support for showing hidden resolutions via API. The parameter Properties.Image.ShowSuboptimalResolutions has been added which will, when enabled, show all of the products supported resolutions. 8.45.3:F19 Changed the behavior of the capture mode parameter. Changing capture mode requires a reboot now. 8.45.3:F20 Support for Firmware Recovery under Settings -> System -> Maintenance. The product is saving a restore point every time the firmware is updated, allowing the user to rollback to a previous firmware and its configuration. 8.45.3:F21 Support for HTTP keep-alive connections via ONVIF. PTZ products can now be controlled via HTTP keep-alive connections. This increases PTZ control accuracy, reduces overhead communication and therefore lowers the risk for security focused network infrastructure or unstable networks to block or drop PTZ control commands. 8.45.3:F22 Support for browser stream statistics in Live View. 8.45.3:F23 Support for Password Security Confirmation Check. To increase overall cybersecurity awareness, a user-configured password that is considered "weak" need to be confirmed actively twice by the user. 8.45.3:F24 The functionality of enabling Axis DNS Service via control button has been disabled by default. It can be enabled again using VAPIX. 8.45.3:F25 Changed the default web server authentication from Basic & Digest to Digest only. 8.45.3:F26 Upon a factory default, the camera will generate a self-signed certificate at boot and enable HTTPS. This allows clients to use encrypted access from start. If HTTPS is to be used in daily operations, it is recommended to replace the generated self-signed certificate with a CA-signed certificate. 8.45.3:F27 PTZ products can be controlled now via HTTP 1.1 keep-alive connections which increases PTZ control accuracy, reduces overhead communication and therefore lowers the risk for security focused network infrastructure to block PTZ control commands when controlling a PTZ camera. 8.45.3:F28 Support for AXIS SD card health API. The SD card health API allows a client to track and request the health and wear-out state of an camera with AXIS Surveillance SD Card. 8.45.3:F29 The Axis Media Control (AMC) is not longer embedded in the product and needs to be downloaded separately on https://www.axis.com/global/en/support/downloads /axis-media-control if needed. The Java Applet has been removed as well. 8.45.3:F30 Our ONVIF implementation have been improved by adding GetVideoEncoderConfigurationOptions extension. This makes it possible for an ONVIF client to get the bitrate range. 8.45.3:F31 Renamed "Browser Stream Statistics" to "Client Stream Information". The Client Stream Information are available in the web-interface of the camera. 8.45.3:F32 The new web-interface supports 12 different pre-installed languages which will be chosen automatically based on browser settings. Uploading individual language files is not needed anymore. 8.45.3:F33 Updated help files with more detailed information about SMB and Certificate support in AXIS products. Corrections in 8.45.3.1 ================================================================================ 8.45.3.1:C1 Corrected an issue that had removed the option to select line level audio input for 3.5mm from audio tab. 8.45.3.1:C2 Corrected an issue that had removed the option to add or remove 30dB audio boost. 8.45.3.1:C3 Corrected an issue that caused custom FTP ports to no longer function. 8.45.3.1:C4 Corrected an issue where the right audio channel failed to mute. 8.45.3.1:C5 Updated wpa-supplicant to version 2.9 and hostapd to version 2.9 to increase overall minimum cyber security level. Corrections for the following security vulnerabilities are included: CVE-2019-13377 CVE-2019-162 8.45.3.1:C6 Corrected an issue that prevented the device from resolving DNS hostnames when used in combination with SNMP. 8.45.3.1:C7 Corrected Vendor class identifier for DHCP negotiation. 8.45.3.1:C8 Corrected an issue that caused the test recipient button in the Web GUI to not work properly when setting up an event mail recipient. 8.45.3.1:C9 Corrected an issue that caused multicast redirection to fail on rare occasions. Corrections in 8.45.3 ================================================================================ 8.45.3:C1 Updated OpenSSL to version 1.1.1d to increase overall minimum cyber security level. 8.45.3:C2 Updated Apache to version 2.4.41 to increase overall minimum cyber security level. 8.45.3:C3 Update libssh2 to version 1.9.0 to increase overall minimum cyber security level. This update includes correction for CVE-2019-13115. 8.45.3:C4 Corrected the following kernel vulnerabilities to increase overall minimum cyber security level (collectively known as "TCP SACK PANIC"): CVE-2019-11477,CVE-2019-11478,CVE-2019-11479. 8.45.3:C5 Improved the certificate management system: It is now possible to upload PKCS#12 certificates with a total size of 102400 bytes. The previous limit was 1/10 of it. 8.45.3:C6 Improved the certificate management system: added support for certificate IDs with long names. 8.45.3:C7 Added support for TLSv1.3. 8.45.3:C8 Corrected security vulnerability in Systemd CVE-2019-6454 to increase overall minimum cyber security level. 8.45.3:C9 Improved the certificate management system: added system log information for failing certificate upload. 8.45.3:C10 Improved robustness of the O3C client. 8.45.3:C11 Updated OpenSSH to version 7.9p to increase overall minimum cyber security level. 8.45.3:C12 Added information about Certificate ID to the Installed Certificates section in the server report. 8.45.3:C13 Corrected the following security vulnerabilities to increase overall minimum cyber security level: CVE-2019-3855, CVE-2019-3856, CVE-2019-3857, CVE-2019-3858, CVE-2019-3859, CVE-2019-3860, CVE-2019-3861, CVE-2019-3862, CVE-2019-3863, CVE-2018-10876, CVE-2018-10877, CVE-2018-10878, CVE-2018-10879, CVE-2018-10880, CVE-2018-10881, CVE-2018-10882, CVE-2018-10883, CVE-2018-17182, CVE-2018-5390, CVE-2018-14526, CVE-2016-2147, CVE-2016-2148, CVE-2017-9798, CVE-2018-16864, CVE-2017-16544, CVE-2019-6454, CVE-2018-16865, CVE-2018-16866, CVE-2019-0217. 8.45.3:C14 Updated pre-installed Mozilla CA-certificates to versions available at 20190122. 8.45.3:C15 Added GOP Length option to the Stream Profile Settings. 8.45.3:C16 Improved list.cgi to display all installed applications (no longer limited to 8). 8.45.3:C17 Improved stability in the httptest.cgi. 8.45.3:C18 Added Firmware Recovery (Firmware Rollback) information to the server report. 8.45.3:C19 Added selection boxes for disabling TLSv1.0 and TLSv1.1 in Settings -> System -> PlainConfig -> HTTPS to enforce the highest possible TLS version for HTTPS-based connections. 8.45.3:C20 Improved HTTP image upload stability in unstable networks. 8.45.3:C21 Improved camera stability when metadata is used. 8.45.3:C22 Improved loading of the web-interface in unstable networks. 8.45.3:C23 Improved stability in actionengine (tcp notification). 8.45.3:C24 Increased the limit of concurrent HTTP requests for I/O related VAPIX commands from 4 to 10. 8.45.3:C25 Adjusted re-connection behavior of interrupted AVHS connections on AVHS-server side. The time between failed connection attempts will now gradually increase until a hard limit is reached. 8.45.3:C26 Added Perfect Forward Secrecy ciphers (DHE-RSA) to the ciphers selection. 8.45.3:C27 Added selection boxes for disabling TLSv1.0 and TLSv1.1 in Settings -> System -> PlainConfig -> HTTPS to enforce the highest possible HTTPS negotiation client handshake via TLSv1.2. 8.45.3:C28 Added a Storage Stability Helper service for better handling of Network Shares. 8.45.3:C29 Adds PID/program name to network connection list in the Server Report. 8.45.3:C30 Updated R2 GlobalSign Root Certificate to version 20170717. Required to enable Email recipients using 'Validate server certificate'. 8.45.3:C31 Added support for certificates with expiration dates beyond year 2038. 8.45.3:C32 Support for HTTP keep-alive connections via ONVIF. lowers the risk for security focused network infrastructure or unstable networks to block or drop PTZ control commands. 8.45.3:C33 Corrected an issue that let the PTZ control queue ignore an anonymous viewer account and deny PTZ control. 8.45.3:C34 Improved user notification when creating a E-mail recipient that contains wrong domain information. 8.45.3:C35 Improved camera stability when metadata is used. 8.45.3:C36 Improved camera stability when using liblicensekey. 8.45.3:C37 The correct IPv6 router IP-addresses are now shown correctly in the network interface of the web-interface and in ONVIF responses. 8.45.3:C38 Adjusted the system log messages for the NTP daemon to be more specific and highlight that there is a time drift instead of an "adjustment". 8.45.3:C39 Upgrade SSL negotiation in the AVHS client to SSLv23 instead of the deprecated TLSv1. 8.45.3:C40 The triple DES cipher is not selected as DEFAULT in the HTTPS settings to increase overall cyber security level. 8.45.3:C41 Updated the Portable UPnP SDK to 1.6.22 to increase the overall cyber security level. 8.45.3:C42 Improved stability for TCP notifications. 8.45.3:C43 Improved camera stability when TriggerData is used. Known Bugs/Limitations ================================================================================ 8.45.3.1:L1 It is not recommended to minimize an open stream tab in the GUI when using Chrome. This will cause latency that will be corrected by refreshing the browser. 8.45.3:L1 When using the Edge or Firefox web browser automatic license installation doesn't work as expected. 8.45.3:L2 Chrome will buffer the video stream if a new tab is opened in the foreground. Refresh the original tab to instead recieve the live video stream. 8.45.3:L3 It is not possible to update the product using Genetec 5.7 SR2. Genetec will provide a patch in 5.7 SR3. 8.45.3:L4 There is only one available pre-installed audio clip (Camera clicks). 8.45.3:L5 When downgrading a firmware the static IP configuration is lost. Axis recommends to perform a factory reset after downgrading. 8.45.3:L6 When performing a firmware rollback to a version older than 5.90 the database on an SD-card or the network share will be incompatible and it needs to be reformatted. 8.45.3:L7 When using an iOS device and Chrome or Safari web browser it is not possible to switch from viewer to administrator or operator. 8.45.3:L8 It is not possible to receive audio encoding details in the browser stream information. 8.45.3:L9 It is not possible to create user accounts in Microsoft Edge 38 or IE 11. More information on recommended browsers can be found here https://www.axis.com/support/technical-notes/browser-support. 8.45.3:L10 It is not possible to receive audio encoding details in the browser stream statistics. 8.45.3:L11 It is recommended to perform a factory default after downgrading the cameras firmware if needed. 8.45.3:L12 No audio support when viewing MJPEG video streams directly in the web-interface. However, a recorded video MJPEG video stream from the cameras storage can be played with audio using a 3rd party client e.g. Microsoft Windows Media Player. 8.45.3:L13 Camera is not inserting a new I-frame when a 2nd client requests a video stream via multicast through RTSP which results in additional waiting time before video streaming starts. 8.45.3:L14 Videos that have been recorded using the video capture feature in live view may not be playable in some media players (e.g. VLC) as it is in an fragmented MP4 format without total video duration. 8.45.3:L15 Some parts of the web-interface may not be fully translated. Supported AXIS VAPIX API Image Resolutions for AXIS V5914 ========================================================= Resolution Exceptions ========== ========== 1280x720 800x450 480x270 320x180 1280x960 1) 1024x768 1) 1024x576 1) 800x600 1) 768x576 1) 720x576 1) 704x576 1) 704x480 1) 704x288 1) 704x240 1) 640x480 1) 640x360 1) 480x360 1) 384x288 1) 352x288 1) 352x240 1) 320x240 1) 240x180 1) 192x144 1) 176x144 1) 176x120 1) 160x120 1) 160x90 1) 1) Not visible in web user interface