Download Symantec Encryption Management Server 3.4.1

Symantec has in the past acquired two different companies that developed encryption software, namely GuardianEdge and PGP. The software from these two acquisitions has long been released as two different encryption product lines by Symantec, the GuardianEdge line was renamed to Endpoint Encryption, and the PGP line was renamed to Encryption Desktop along with Encryption Management Server. To an outsider, it’s confusing that one company released two different encryption products that competed and couldn’t work with each other. There is with the release of Endpoint Encryption 11 largely came to an end in 2014. Since there is no easy way to upgrade from SED and SEMS to SEE, maintenance packs are still being released for the old PGP line. The developers have released Symantec Encryption Management Server 3.4.1 with the following changes:

What’s New in Symantec Encryption Management Server 3.4.1

• Lockout feature for Administrator accounts added – Symantec Encryption Management Server now enables you to automatically lock Administrator accounts after a number of failed login attempts. You can configure the number of login attempts that are allowed, as well as the duration of the lockout period. This feature protects Administrator accounts and Symantec Encryption Management Server against unauthorized access using the brute force entry method.
• Support added for PUP updates – Symantec Encryption Management Server now supports PUP updates while upgrading from version 3.4.0 or later.

The following issues were resolved in version 3.4.1:

• Added support for a configurable security feature that locks Administrator accounts after a number of failed login attempts. [3947631]
• In response to HTTP_PROXY security vulnerabilities CVE-2016-5387 (httpd) and CVE-2016-5388 (Apache Tomcat), removed the header and rebuilt the packages, even though Symantec Encryption Management Server was not impacted. [3988862]
• Resolved the potential security vulnerability for SSL/TLS identified in CVE-2016-2183 by applying the patch provided by Red Hat Enterprise Linux, thus preventing attacks against 64-bit block ciphers. [3989781]
• In response to security vulnerability CVE-2016-5696, updated the value of the tcp_challenge_ack_limit in the Linux kernel. [3999008]
• In response to security vulnerability CVE-2016-2776 in which a BIND flaw potentially could arise in response to certain queries, upgraded the bind packages. [4005768]
• In response to security vulnerability CVE-2016-5195, applied the patch provided by Red Hat Enterprise Linux to ensure no privilege escalation takes place because of a breakage in MAP_PRIVATE COW, even though Symantec Encryption Management Server was not affected. [4010837]
• Certificates with a subject length greater than 256 characters can now be imported. [2658254]
• If you configure an email policy rule to encrypt outbound emails using an additional certificate (Other Keys/Certificates option), outbound messages are no longer delivered in plain text after the certificate expires. Instead, such emails are now blocked or bounced. [3896269]
• Administrators can now configure Symantec Encryption Web Email Protection external user accounts so that the Web Email Protection invitations sent to external users expire after a specific time period. [3916589]

Upgrade

• Custom keyservers are now replicated across all clustered servers. [3738817] However, when you upgrade your server from version 3.3.2 or later to 3.4.1, if you had manually added the custom keyservers to the cluster members, duplicate custom keyserver entries appear. If you had manually added custom keyservers, make sure that you perform the following steps after upgrade:
  • On the cluster members where you originally manually added keyserver entries, manually delete them.
  • On the sponsor node only, manually add the custom keyserver entry. This keyserver entry is replicated on all the cluster members.
• After running an upgrade and backup-restore process, orgKeyID and orgKeyBlock are no longer removed from the factory default policy. [3964607]
• After upgrading Symantec Encryption Management Server to version 3.4.1, Symantec Encryption Desktop clients no longer fail to synchronize with the server if the user name of the currently active account includes characters with accent marks. [3994451]