Funnelback 15.2.0 release notes

15.2.0 - Selected improvements and bug fixes

  • Renamed Modern Admin UI to Administration Interface (in general) and Marketing Dashboard (for specific marketing focused functionality). Note that both are distinct from the older Classic Admin UI.

  • Curator can now be configured to examine additional URL parameters with the ui.modern.curator.query-parameter-pattern setting.

  • Synonym blending will now run on complex queries.

  • The query processor will execute queries when the query parameter is not set and the system query s is set.

  • Push will now correctly read the correct worker thread count config option from push.worker-thread-count rather than from worker-thread-count.

  • Fixed an issue where duplicate pagination within content auditor would persist even after leaving the duplicate area.

  • Improved styling of the documentation, content auditor and the administration interfaces.

  • Added support for iframe tags within best bet previews.

  • Fixed default search template to display curator driven best bets.

  • Improved html tag boundary sentence detection within content auditor’s readability grade calculation.

  • Fixed result collapsing presentation for result pages after the first.

15.2.0 - Upgrade Issues

  • The Administration Interface now respects additional permissions for synonyms (sec.synonym), best bet (sec.best-bet) and curator (sec.curator). These permissions will be granted to users with the "administrator" and "editor" roles on upgrade. These permissions grant complete access to the corresponding feature (view & modify). If custom file manager rules were previously configured in the users INI files to control specific permissions on corresponding configuration files (e.g. synonyms.cfg), the users INI file will need to be reviewed to add or remove the new permissions as needed.

  • The modernui.log used to contain logs for both the public and admin context. It is now split two separate log files modernui.Public.log and modernui.Admin.log.

Patches

Type Release version Description

3 Bug fixes

Upgrades log4j2 to version 2.17 to fix the security vulnerability where log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints.

3 Bug fixes

Prevents creation of objects within Freemarker template files to ensure that template editors can not cause external code to be executed.

3 Bug fixes

Fixes security issues where:

  • The default form-not-found template reflected the given form id without proper escaping.

  • The default configuration of URL previewing could be used to expose local log file content.

Please ensure any custom form-not-found.ftl templates in collections are updated to perform correct escaping if they were derived from the previously vulnerable form-not-found.default.ftl.

Please ensure that any customised value for the global default_url_renderer.permitted_url_pattern setting in global.cfg prevents access to file:// URLs.

3 Bug fixes

Fixed an issue where the user editing interface for a user with no permitted collections would be presented with all collections selected, rather than none.

3 Bug fixes

Changes the click tracking endpoint to no longer depend on the referrer. This does result in the click logs no longer containing the referrer URL.

3 Bug fixes

Fixes an issue where auto completion with partials did not respect the profile scope.

3 Bug fixes

Fixes a cross site scripting vulnerability when unescaped HTML was provided to the CheckBlending macro’s linkText attribute.

3 Bug fixes

Corrected the XSS Vulnerability in Anchors.html

3 Bug fixes

Fixes a bug where data loss could occur in Push collections if commits failed.

3 Bug fixes

Fixes a bug on Windows where commits could fail if index files in a snapshot are held opened.

3 Bug fixes

Fixes various DLS security flaws.

3 Bug fixes

Fixes a bug where data loss could occur in push on Windows. The problem is more likely to occur when Push is used in a meta collection.

3 Bug fixes

Fixes an issue when copying best bets using a match type other than "exact query match".

3 Bug fixes

Fixes a race condition when saving a meta collection configuration on Windows if a component collection is updating in the background.