Funnelback 15.24.0 release notes
Released: 23 October 2019
Supported until: 23 October 2024
Improvements
In General
-
Passwords stored in
global.cfg
andcollection.cfg
(e.g. passwords to be used when connecting to other systems) are now stored in an encrypted form when they are added or edited.-
encryption.keyset-handle-provider-class can be used to customize how the encryption keys are stored or retrieved.
-
-
Push collections now provide APIs for restoration to snapshots, including support for fetching the snapshot to be restored automatically from a remote server.
-
Improved
include_patterns
presentation in configuration interface to better handle large sets of patterns. -
The default search results template now uses the Freemarker recommended HTML escaping mechanism rather than a legacy one.
-
The implementation of search sessions and cart functionality within the default search template is now simpler and has fewer library dependencies. The upgrading to session history plugin guide can be used for upgrading existing templates to make use of the simpler variants.
-
The configuration settings for contextual navigation, quick links and form interaction are now within the general collection configuration, allowing them to be set via the configuration interface or via the associated REST APIs.
-
Improved the performance of accessibility auditor on collections covering many domains.
-
/s/all-results.csv
can now produce a custom csv file name by specifying the 'fileName' url parameter. -
Improved the interaction with web resources directories containing unpublished changes.
-
Category headings can now be disabled in the list view on a per-entity basis within the knowledge graph widget.
-
Search results data model now includes more useful debugging information related to running internal queries against search indexes.
-
Improved support for faceted navigation with queries that contain bigrams (such as CJKT characters).
-
Improved the task-picker such that it can load dependencies from custom 'jar' files located '$SEARCH_HOME/lib/java/task-picker/'.
-
Improved query performance when many curator rules are defined for any profile under a collection.
-
Improved 'build_autoc' performance for profiles reducing update times.
-
Reduced the time taken by the update step ContentAuditorSummary.
-
Improved support for running faceted navigation on extra searches by adding a
getEffectiveExtraSearchName()
method to the search transaction object which can be considered when modifying the transaction in a hook script. -
Web crawling logs now include timestamps and additional frontier debugging information.
Knowledge Graph Specific
-
Knowledge graph now models metadata with multiple values in a list form, allowing for correct presentation of values containing separator characters.
-
Knowledge graph configuration now allows a default template to be configured for entity types which do not have a dedicated template.
-
When sorted by date, knowledge graph entities are now grouped under useful headings showing the relative date.
-
Knowledge graph entities can now define a fallback thumbnail for use if some entities do not define their own thumbnail image.
-
Knowledge graph entities can now be created for items with no logical URL to send a user to, and are presented without a view link in this case.
-
Improved alignment of entity images and data within knowledge graph widget.
Upgrades to Funnelback components
-
The default version of Moment.js used in the default template and knowledge graph widget preview has been upgraded to 2.24.0.
-
Upgraded Freemarker library to 2.3.29 (from 2.3.27) which provides some new template syntax - See https://freemarker.apache.org/docs/versions_2_3_29.html.
-
The Maxmind database used for queries and search analytics has been upgraded from version 1 to version 2.
Bug fixes
-
Fixed an issue where the crawler would follow
<meta http-equiv="refresh">
redirects that appeared within html comments. Redirects inside comments are now ignored. -
The original target page is now loaded if the user is required to log-in before accessing an admin-ui page rather than the home page.
-
Fixed handling of curator rules with invalid null values.
-
Knowledge graph widget now returns to the top when paging through results.
-
Improved handling of knowledge graph entities with no valid node_id values.
-
Restored the remove-headers collection config settings ability to remove security related headers such as X-Frame-Options.
-
Fixed accessibility auditor’s handling of acknowledgement and collection IDs which produced log errors and prevented 'last seen date' data being recorded.
-
The configuration UI now presents very-long profile lists in a scrollable form rather than extending off screen.
-
The default search template now retains the
profile
URL parameter when a scope removal link is followed. -
Fixed the lack of redirect information in push collection snapshots.
-
Fixed handling of process-id files for Funnelback services to be compatible with recent changes to systemd.
-
Fixed an issue where relationships labels in the knowledge graph widget were created incorrectly.
-
Fixed an issue where sorting of related entities was not applied based on knowledge graph template configuration.
-
Fixed an issue where a double request to search endpoint in the knowledge graph widget was being sent on pressing enter key when search input is focused.
-
Fixed an issue where the saving of profile and server level configuration parameters were not being executed due to incorrect backup file creation.
-
Tuning now uses the Perl defined in exectuables.cfg rather than any other Perl on the path.
-
Prevented XSS AngularJS sandbox bypassing injection in Freemarker templates by inserting zero-width whitespace between consecutive open-curly-brackets though the default search result template no longer uses AngularJS).
-
Fixed a bug in which spaces would be removed from query biased summaries which came from 'cdata' sections of XML.
-
Empty XML elements mapped as the document URL are now ignored.
-
Fixed a memory leak within the jetty web server by disabling the conscrypt SSL provider by default.
-
Fixed errors in the sorting of faceted navigation values, which could cause an HTTP 500 error code.
-
Fixed an issue where the crawler would follow
<meta http-equiv="refresh">
redirects that appeared within html comments.
Important changes
-
Funnelback’s recommended memory requirements have been increased to reflect higher memory usage seen in practice due to new features introduced over the last few releases.
-
Some license keys generated in the past will now trigger a warning saying "This collection is configured with a license in a deprecated form that will not be supported in a future version of Funnelback. Please use the license portal, or contact Funnelback, to request a new license key". To avoid issues in a future upgrade please ensure new licenses are applied to any affected collections.
-
The
sec.profile.manage
is now used to determine whether a user can create a service rather than the broadersec.administer.system
permission. -
Editing result templates in the administration dashboard now requires only
sec.template
permission. -
Editing web resources in the administration dashboard now requires only
sec.web-resources
permission.
Changes to configurations
-
contextual_navigation.cfg
no longer exists. Contextual navigation options are now configured directly fromcollection.cfg
, see here for the new key names. In short, a prefix ofcontextual-navigation.
has been added to contextual navigation keys. Additionally, the following keys have been renamed:-
contextual_navigation_enabled
->contextual-navigation.enabled
-
type_max_topics
->contextual-navigation.type.max_clusters
-
topic_max_topics
->contextual-navigation.topic.max_clusters
-
site_max_topics
->contextual-navigation.site.max_clusters
-
-
quicklinks.cfg
no longer exists. Quick links options are now configured directly fromcollection.cfg
, the key names and values have been retained. -
form_interaction.cfg
no longer exists. Form interaction options are now configured directly fromcollection.cfg
, see here for the new key names. The following keys have been removed:-
crawler.form_interaction_file
-
crawler.form_interaction_in_crawl
The following keys have been added:
-
crawler.form_interaction.pre_crawl.groupId.url
-
crawler.form_interaction.pre_crawl.groupId.form_number
-
crawler.form_interaction.pre_crawl.groupId.encrypted.param
-
crawler.form_interaction.pre_crawl.groupId.cleartext.param
-
crawler.form_interaction.in_crawl.groupId.url_pattern
-
crawler.form_interaction.in_crawl.groupId.encrypted.param
-
crawler.form_interaction.in_crawl.groupId.cleartext.param
-
Upgrade notes
-
To upgrade Moment.js to 2.24.0, update the path to resource in FTL forms from
${GlobalResourcesPrefix}thirdparty/momentjs-2.22.2/moment.min.js
to${GlobalResourcesPrefix}thirdparty/momentjs-2.24/moment.min.js
. Note that previous versions of Moment.js will be removed from Funnelback in a future release. -
The upgrade process for
contextual_navigation.cfg
is automatic. The settings configured incontextual_navigation.cfg
are moved intocollection.cfg
when an upgrade is run. Additionally, the relevant file permissions will be added to the<user>.ini
file - assuming the user had access tocollection.cfg
keys andcontextual_navigation.cfg
. -
The upgrade process for
quicklinks.cfg
is automatic. Everything fromquicklinks.cfg
are moved intocollection.cfg
and preserved when an upgrade is run. Additionally, the relevant file permissions will be added to the<user>.ini
file - assuming the user had access tocollection.cfg
keys andquicklinks.cfg
. -
The upgrade process for
form_interaction.cfg
is automatic. The settings configured inform_interaction.cfg
are moved intocollection.cfg
when an upgrade is run. Additionally, the relevant file permissions will be added to the<user>.ini
file - assuming the user had access tocollection.cfg
keys andform_interaction.cfg
. Please note that if there are any custom scripts which generateform_interaction.cfg
files automatically, these may need to be updated to use the new implementation. -
As maxmind has been upgraded, the
Location
class within the search transaction attransaction.question.location
has been modified. TheareaCode
,dmaCode
andregion
fields have been removed. Thelongitude
andlatitude
fields are now of typeDouble
. TheLocation
class has had the following fields added:countryGeoNameId
andsubdivisions
. Thesubdivisions
field is a list that generally holds the state or province that the IP address belongs to.
Patches
Type | Release version | Description |
---|---|---|
3 Bug fixes |
Prevented the creation of objects within Freemarker template files to ensure that template editors can not cause external code to be executed. |
|
1 New and revised features |
Added new server configuration keys to configure the Jetty HTTP connection. |
|
3 Bug fixes |
Fixed an issue where the post-update hook script was executed even if the knowledge graph import had failed. |
|
1 New and revised features |
Added a new knowledge graph public endpoint |
|
3 Bug fixes |
Fixed an issue where PDF files are not crawled when form interaction is enabled with in-crawl authentication. |
|
3 Bug fixes |
Fixed an issue where fetching Facebook comments would cause an infinite loop due to changes within the Facebook endpoints. |
|
3 Bug fixes |
Fixed a security vulnerability where jackson-databind might allow remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks. |
|
3 Bug fixes |
Fixed a security vulnerability where com.google.oauth-client hasn’t implemented PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps. |
|
3 Bug fixes |
Fixed the security vulnerability where Spring Framework RCE may be vulnerable to remote code execution (RCE) via data binding [CVE-2022-22965] |
|
3 Bug fixes |
Upgrades log4j2 to version 2.17 to fix the security vulnerability where Apache Log4j2 Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations. |
|
3 Bug fixes |
Upgrades log4j2 to version 2.15 to fix the security vulnerability where log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints. |
|
3 Bug fixes |
Fixes an issue where the edit metadata mappings administration dashboard wouldn’t display counts of detected sources in searchable documents properly. |
|
3 Bug fixes |
Search session cookies are now explicitly marked with |
|
3 Bug fixes |
Fixes an issue where faceted navigation UI would freeze due to numerous API requests done to check templates' backups for the usage of legacy facets. |
|
3 Bug fixes |
Fixes a bug with |
|
3 Bug fixes |
Fixes a bug in which instant updates would always include the start URLs. |
|
3 Bug fixes |
Fixes a cross-site scripting vulnerability in Freemarker templates. |
|
3 Bug fixes |
Fixes a bug with YouTube collections when no channel id is provided |
|
3 Bug fixes |
Reduces logging from build_spelling_index |
|
3 Bug fixes |
Fixes a bug in filtering in which outlook files with attachments could not be parsed correctly. |
|
3 Bug fixes |
Fixes an issue in which character |
|
3 Bug fixes |
Fixes a bug in which some autocompletion suggestions would be wrongly excluded from the profiles. |
|
1 New and revised features |
Adds support for parsing MSG ( |
|
3 Bug fixes |
Improves how meta components are determined, avoiding synchronisation issues in multi-server installations. |
|
3 Bug fixes |
Fixes an issue where displaying of numerical/date content in administration dashboard was broken when default browser language was not set to English. |
|
3 Bug fixes |
Fixes a bug in which form interactions may not work with config environments. |
|
3 Bug fixes |
Fixes a bug in which invalid XML characters in the query could cause queries to fail. |
|
3 Bug fixes |
Restores support for the web crawler |
|
3 Bug fixes |
Make it possible to send empty parameters in crawler form interactions. |
|
3 Bug fixes |
Fixes a bug in which the text "Is it me?" appeared at the end of all query biased summaries. |
|
3 Bug fixes |
Fixes a bug that prevented access restrictions set by hostname from working correctly when Funnelback was deployed behind a load-balancer. |
|
3 Bug fixes |
Fixes various XML encoding issues which would cause search not to work. |
|
3 Bug fixes |
Best Bet option to remove search result if it has the same URL as the best bet is fixed to compare the link URL rather than the URL to display. |
|
3 Bug fixes |
Fixes the daemon service broken by patch 15.24.0.26. |
|
3 Bug fixes |
The search interface’s |
|
3 Bug fixes |
Reduces memory usage when returning search results as XML. |
|
3 Bug fixes |
Fixes a bug in PDF filtering when the PDF contains invalid XML characters. |
|
3 Bug fixes |
Eliminate a warning emitted when using the delete-collection.pl command line tool |
|
3 Bug fixes |
Fixes incremental filecopy gathering to preserve any additional metadata (e.g. metadata added by custom filters) |
|
3 Bug fixes |
Fixes a cosmetic issue where the Marketing Dashboard tiles were not aligned correctly. |
|
3 Bug fixes |
Fixes an issue where enabling access restriction was blocking acceess to Content Auditor, Accessibility Auditor and SEO Auditor API endpoints |
|
3 Bug fixes |
Fixes an issue where searches on collections with sub-searches can fail with a NullPointerException |
|
3 Bug fixes |
Fixes an issue where sessions are not terminated on logout events triggered by perl pages. |
|
3 Bug fixes |
Fixes an XXE issue where input to the webdav endpoint could be manipulated to trigger http requests. |
|
3 Bug fixes |
Fixes an issue with the web-resources interface which could not cope with unusual file names. |
|
3 Bug fixes |
Fixes an issue in which Push replication would fail because the client would not renew its authentication token. |
|
3 Bug fixes |
Fixes an issue where the tuning UI may freeze due to the large number of API requests being performed. |
|
3 Bug fixes |
Fixes an issue in which instant updates would fail due to long log file names. |
|
3 Bug fixes |
Improves tuning so that it can run when collections have no documents. |
|
3 Bug fixes |
Fixes admin-ui handling of profiles with hyphens in their IDs. |
|
3 Bug fixes |
Fixes an issue where Faceted Navigation extra searches may fail because of an index out of bounds error. |
|
3 Bug fixes |
Improves logging when extra searches take too long. |
|
3 Bug fixes |
Fixes an issue where marketing dashboard refers a non-existing URL when |
|
3 Bug fixes |
Fixes ip pseudonymization when Funnelback is behind a load balancer and client ip details are in the |
|
3 Bug fixes |
Reduces memory consumption and improves performance of the purge sessions endpoint. |
|
3 Bug fixes |
Avoids an error in the admin search interface when SAML authentication is used. |
|
3 Bug fixes |
Adds a tinkey.jar tool for managing password encryption keys. |
|
3 Bug fixes |
Fixes an issue where knowledge graph update fails when having numbers as metadata class names. |
|
3 Bug fixes |
Fixes a bug in auto-completion widget where custom URL parameters set in |
|
3 Bug fixes |
Fixes a bug where WebDAV client could lock files with long timeouts and not release them. |
|
3 Bug fixes |
Fixes a bug where a session was not saved if a user is not set. |
|
3 Bug fixes |
Fixes a bug where trend alerts shapes (graphs) haven’t been displayed in marketing dashboard. |
|
3 Bug fixes |
Upgrades the version of |
|
3 Bug fixes |
Fixes an issue where Facebook collections gathered less number of documents due to a pagination issue in the Facebook Graph API. |
|
3 Bug fixes |
Facebook Graph API deprecated fields |
|
3 Bug fixes |
Fixes an XML formatting issue in Faceted Navigation click logs. |
|
3 Bug fixes |
Fixes a bug with merging under Push. |
|
3 Bug fixes |
Fixes a bug in which white space was not preserved in summaries from anchor text when the |
|
3 Bug fixes |
The Push API client used in multi server push now has timeouts enabled allowing it to abandon problematic HTTP requests. |
|
3 Bug fixes |
Removes the screens for file-manager rule editing which could create security issues |
|
3 Bug fixes |
Fixes an issue where support packages could contain unintended files |
|
3 Bug fixes |
Fixes an issue where the running Funnelback jetty web server could retain permissions via supplemental groups after startup |
|
3 Bug fixes |
Limits an administration CGI script to redirect only within the Funnelback administration interface as intended |
|
3 Bug fixes |
Removes the unused administration debug.cgi script which reflected input parameters without proper escaping |
|
3 Bug fixes |
Fixes a bug where a horizontal display of columns in auto-completion dropdown doesn’t work. |
|
3 Bug fixes |
Fixes a bug where insecure operation on CSS files list was performed when CSS file was exposed via the same domain as auto-completion widget but different port. |
|
3 Bug fixes |
Fixes an issue where the push API failed to start up when using SAML authentication. |
|
3 Bug fixes |
Fixes an issue where concurrently encrypting passwords for the first time could create multiple master keysets but store only one, remaining encrypted passwords could not subsequently be decrypted. |
|
3 Bug fixes |
Fixes an issue where a NullPointerException is sometimes thrown when using the country name Curator trigger. |
|
3 Bug fixes |
Fixes an issue where Filecopier would sometimes log passwords. |
|
3 Bug fixes |
Fixes an issue where Knowledge Graph groovy scripts are not executed when they are defined at the profile preview level. |
|
3 Bug fixes |
Fixes an issue where the Knowledge Graph class |
|
3 Bug fixes |
Fixes an issue where Knowledge Graph API does not work when a JDBC driver is specified for the session database. |
|
3 Bug fixes |
Fixes a bug in which uploading configuration files in the administration dashboard stopped working. |