Funnelback 15.4.0 release notes

15.4.0 - Selected improvements and bug fixes

  • Improved Modern UI logging: FreeMarker error are now logged to the Modern UI log rather than the Jetty log, and extra searches messages now contain the proper collection and profile information.

  • The classic admin UI now uses the same login page and authentication system as the marketing dashboard.

  • Funnelback now includes an output connector for ManifoldCF version 2.x, in place of including a full installation of ManifoldCF v1.x.

  • Push collections use a better algorithm for choosing which generation to merge.

  • Push multi server setups use significantly less bandwidth and less disk IO for replication.

  • Push multi server setups can now ignore redirect files on the index.

  • Push will now re-index large generations with mostly killed documents.

  • Push multi server setups now support compression and no longer require the webdav service.

  • Push supports parallel indexing.

15.4.0 - Upgrade Issues

  • Deprecated binaries have been removed from SEARCH_HOME/linbin/ (Linux) and SEARCH_HOME/wbin/ (Windows): info-zip, libxslt, modssl, nginx, openssl, xsltproc. These will need to be re-installed separately if needed.

  • Since Funnelback no longer includes an embedded Manifold CF installation, please ensure ManifoldCF is installed as described by connecting enterprise repositories if it is to be used.

  • Funnelback’s embedded Jetty web server no longer provides JSP support for web applications. This was only used by ManifoldCF which now needs to be installed separately.

15.4.0 Errata

  • An issue exists with the Admin UI’s "Prepare Funnelback for upgrade" system menu option in 15.4.0. To work around this issue, please use the following Push API call directly

    POST /v1/upgrade/prepare

An interface to access this call directly is available within Funnelback’s UI (https://<host name>:<admin port>/search/admin/api-ui/ ) under the Push API tab in the push-api-collection section.

Patches

Type Release version Description

3 Bug fixes

Prevents creation of objects within Freemarker template files to ensure that template editors can not cause external code to be executed.

3 Bug fixes

Fixes security issues where:

  • The default form-not-found template reflected the given form id without proper escaping.

  • The default configuration of URL previewing could be used to expose local log file content.

Please ensure any custom form-not-found.ftl templates in collections are updated to perform correct escaping if they were derived from the previously vulnerable form-not-found.default.ftl.

Please ensure that any customised value for the global default_url_renderer.permitted_url_pattern setting in global.cfg prevents access to file:// URLs.

3 Bug fixes

Fixed an issue where the user editing interface for a user with no permitted collections would be presented with all collections selected, rather than none.

3 Bug fixes

Fixes a bug where data loss could occur in Push collections if commits failed.

3 Bug fixes

Fixes a bug on Windows where commits could fail if index files in a snapshot are held opened.

3 Bug fixes

Fixes various DLS security flaws.

3 Bug fixes

Fixes a bug where data loss could occur in push on Windows. The problem is more likely to occur when Push is used in a meta collection.