Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Patch Notes

Patch Notes for CTE-U 10.5.0.53

search

Patch Notes for CTE-U 10.5.0.53

Patch Information
Release v10.5.0.53
Date 2025-10-15
Document Version 1

New Features and Enhancements

Confidential Computing Support

Confidential Computing is now supported on Redhat Enterprise Linux (RHEL) 9.x and 10.x and Ubuntu 24.x.

Resolved Issues

  • AGT-68299: gname fails to match when user belongs to the Domain Admins group

    The issue occurred because the buffer size for calls was too small. The solution was to increase the buffer size.

Known Issues

  • AGT-44852: Cannot delete very long file names in FreeBSD

    AFFECTED VERSIONS: 10.2.0.72 — 10.5.0.49

    A path length longer than 1024 characters is not supported.

  • AGT-45125: Execute program from the GuardPoint

    AFFECTED VERSIONS: 10.2.0.72 — 10.5.0.49

    Due to the implementation of the FreeBSD kernel, executing a program inside of a GuardPoint is not supported. As a result, process sets and signature sets are not supported for programs inside of a GuardPoint in FreeBSD in CTE-U.

  • AGT-46856: FUSE protocol violation warning message

    AFFECTED VERSIONS: 10.2.0.72 — 10.5.0.49

    The kernel driver displays this message because the file size reported by CTE is different than the file size of the actual file. So FuseFS thinks something has changed and triggers the warning. This message is benign and can be ignored.

  • AGT-47108: Enabling Concise logging does not reduce logs as compared to when it is disabled

    AFFECTED VERSIONS: 10.2.0.72 — 10.5.0.49

    In the future, Thales will try to enhance this feature to reduce the logs more.

  • AGT-48284: Access to the GuardPoint displays incorrect GuardPoint path and garbage in path on first access

    AFFECTED VERSIONS: 10.2.0.72 — 10.5.0.49

    CTE-U does not support security rules with process sets, or user sets, for block devices. Refer to Sample Policy for Block Devices.

  • AGT-48348: Raw device GuardPoint gets stuck in processing state after being removed from agent

    AFFECTED VERSIONS: 10.2.0.72 — 10.5.0.49

    In SUSE Linux Enterprise Server 12 SP5, it is not possible to gracefully detach a GuardPoint from the loop device layer. As a result, it is not possible to cleanly stop secfs-fuse. Attempts to do so may result in a hang where recovery is only possible by power cycling the machine. For these reasons, block deviceGuardPoints are not currently supported on SUSE Linux Enterprise Server 12 SP5 or previous versions.

  • AGT-48349: Direct IO does not work with mmap or buffered IO

    AFFECTED VERSIONS: 10.2.0.72 — 10.5.0.49

    Writing to a file without direct IO, and then reading from the same file with direct IO, while using a different file descriptor, without syncing or closing the first file descriptor, causes the read to fail to get the correct data.

    Work-around

    Disable writeback cache:

    voradmin secfs config writeback_cache_local 0 <GP>

  • AGT-48387: FreeBSD: Unable to run dataxform against the same directory more than once

    AFFECTED VERSIONS: 10.2.0.72 — 10.5.0.49

    Work-around

    Run the following Data Transformation cleanup command before transforming the data:

    dataxform --cleanup --gp <gp_path>

  • AGT-48502: CTE to CTE-U migration on NFS v3/v4 with backup user generates I/O error when restored on CTE-U NFS GuardPoint in SLES and RHEL 9.2

    AFFECTED VERSIONS: 10.2.0.72 — 10.5.0.49

    If the file does not have write permissions, then when updating, the keyid fails and CTE-U generates an I/O error.

    Work-around

    In CTE to CTE-U migration, you must have full write OS permissions for the files copied from the CTE backup to the CTE-U GuardPoint.

  • AGT-48532 [CS1506097] Using a Standard Policy with an XTS key, when user migrated from a CipherTrust Manager to another CipherTrust Manager, key stopped working

    AFFECTED VERSIONS: 10.2.0.72 — 10.5.0.49

    When a key is backed up and restored to a different domain or CipherTrust Manager, the keyid may be changed and trigger a protection code in CTE-U that is designed to prevent accidental use of the wrong key or accidental double encryption.

    Work-around

    See Migrating an Encryption Key for more information.

  • AGT-49859: GuardPoints are not healthy when partial config is enabled for CTE-U client

    AFFECTED VERSIONS: 10.2.0.72 — 10.5.0.49

    The Partial Config feature in CipherTrust Manager v2.15 GA requires CTE-U v10.2.0.80, v10.3.0.19 or subsequent versions.

  • AGT-54610: Failed to create a file with only a write action in the key rule

    AFFECTED VERSIONS: 10.2.0.72 — 10.5.0.49

    When a policy on CipherTrust Manager has only write access for user/process set, the corresponding user/process set, on the agent, should be able to write to the file. However, due to the FUSE design, for every operation, CTE-U needs to check for getattr permissions. Due to this limitation, CTE-U did not give the user the write permission.

    Work-around

    Customers must grant read attribute permissions to all of the directories & files in the policy. Select the actions for d_rd_att, f_rd_att and write.

  • AGT-55110: Switching existing MFA client profile, that used register_host, failed on CipherTrust Manager enrollment

    AFFECTED VERSIONS: 10.3.0.65 — 10.5.0.49

    Work-around

    In CipherTrust Manager, change the existing Multifactor Authentication Select MFA Exempted User Set parameter to your new target user set.

  • AGT-59525: CTE-U open() O_RDONLY fails on guarded file with append only attribute

    AFFECTED VERSIONS: 10.3.0.65 — 10.5.0.49

    Running lsattr on a guarded file with the append only attribute fails with Input/output error.

  • AGT-61084: Guarding a bucket which is not present

    AFFECTED VERSIONS: 10.4.0.72 — 10.5.0.49

    The issue occurred when am AWS bucket is added as a GuardPoint, but the bucket does not exist on AWS.

  • AGT-61174: AWS S3 LS operation works even after deleting credential using voradmin cos s3 cred delete

    AFFECTED VERSIONS: 10.4.0.72 — 10.5.0.49

  • AGT-61735: Garbage files being created when CTE-U opened a file in CTE Windows over CIFS

    AFFECTED VERSIONS: 10.4.0.72 — 10.5.0.49

    Workaround

    Disable temp file creation on the CTE Windows.

    voradmin ldt sxf set 0

  • AGT-63130: The mkdir and chown commands fail with HP-UX NFS client where GuardPoint is mounted

    AFFECTED VERSIONS: 10.4.0.72 — 10.5.0.49

    CTE-U does not support process-based access checks with the export scenario. Therefore, you must either disable the authenticator check or add the NFS process as an authenticator.

    See Exporting GuardPoints over NFS for more information.

  • AGT-63195: CTE-U UID authentication not working with TMUX

    AFFECTED VERSIONS: 10.4.0.72 — 10.5.0.49

    Workaround

    To create a TMUX session that has the authority of the user who started the TMUX session, use either of two methods:

    • Add usr/bin/tmuxas an authenticator in the CipherTrust Manager client settings for this client.

    • Run voradmin secfs config uid_search 0 to set the CTE-U UID authentication to its previous method.

  • AGT-65631: Internal server error observed if the awscli version is greater than v2.23.0 and the botocore version is 1.35 or a previous version

    AFFECTED VERSIONS: 10.5.0.49

    Beginning with AWS CLI version 2.23.0 and subsequent versions, AWS implemented enhanced and more efficient checksum algorithms, including CRC-64/NVME, CRC32, CRC32C, SHA1, and SHA256, with CRC64-NVME set as the new default for the CLI. Users needs to utilize an earlier version of the AWS CLI to accommodate this change.

    To get the older version, you can do the following.

    1. Download the image, type:

      wget https://awscli.amazonaws.com/awscli-exe-linux-x86_64-<version number>.zip

      Example:

      wget https://awscli.amazonaws.com/awscli-exe-linux-x86_64-2.22.35.zip

    2. Unzip the file, type:

      $ unzip awscliv2-<version number>.zip

    3. Install the software as an administrator:

      $ sudo ./aws/install

  • AGT-66431: High CPU utilization when deleting large numbers of files

    AFFECTED VERSIONS: 10.5.0.49

    This issue occurred due to a change that was made for memory usage improvement in CTE-U. The problem was that if a very large number of files already have their information stored in a specific memory block, and they are all removed from that block simultaneously, there is a bottleneck in the freeing of the data. This has been fixed.

  • AGT-66896: COS | Unable to upload 0 byte file to the guarded bucket

    AFFECTED VERSIONS: 10.5.0.49

    CTE-U does not support uploading 0 byte files to a Cloud Object Storage GuardPoint.

  • AGT-66913: Unable to download file in ranges from bucket

    AFFECTED VERSIONS: 10.5.0.49

    Range download is not supported on COS for CTE-U.

  • AGT-68272 [CS2218866]: User is denied with 'faked user' error with CTE-U 10.6.0

    AFFECTED VERSIONS: 10.6.x.x

    Workaround

    Make tmux an authenticator.

On this page