Funnelback 15.10 patches
Patches
| Type | Release version | Description |
|---|---|---|
3 Bug fixes |
Upgrades log4j2 to version 2.16 to fix the security vulnerability where log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints. |
|
3 Bug fixes |
Removes the screens for file-manager rule editing which could create security issues |
|
3 Bug fixes |
Fixes an issue where support packages could contain unintended files |
|
3 Bug fixes |
Fixes an issue where the running Funnelback jetty web server could retain permissions via supplemental groups after startup |
|
3 Bug fixes |
Limits an administration CGI script to redirect only within the Funnelback administration interface as intended |
|
3 Bug fixes |
Removes the unused administration debug.cgi script which reflected input parameters without proper escaping |
|
3 Bug fixes |
Prevent XSS AngularJS sandbox bypassing injection in Freemarker templates escaped using output formats by inserting zero-width whitespace between consecutive open-curly-brackets. |
|
3 Bug fixes |
Prevent XSS AngularJS sandbox bypassing injection in Freemarker templates by inserting zero-width whitespace between consecutive open-curly-brackets. |
|
3 Bug fixes |
Prevent XSS AngularJS sandbox bypassing injection in Freemarker templates by inserting zero-width whitespace between consecutive open-curly-brackets. |
|
3 Bug fixes |
Improves the Accessibility Auditor historical data storage. The data is stored in less space while also being significantly faster when storing and retrieving data. The Accessibility Auditor historical data APIs are also improved to reduce the amount of memory needed to help reduce the chance of 'OutOfMemoryError' exceptions from being thrown. The Accessibility Auditor historical data will be automatically moved to the new storage format when Jetty is restarted (one collection at a time) or on the first Accessibility Auditor historical data API request. |
|
3 Bug fixes |
The default timeout for 'push.scheduler.delay-between-meta-dependencies-runs' has been increased to '1200' (20 minutes). This has been increased to reduce the frequency at which Accessibility Auditor historical data is recorded. This option will need to be overridden if meta collections containing push collections need a smaller delay in updating the spelling index and auto completion. |
|
3 Bug fixes |
Prevents creation of objects within Freemarker template files to ensure that template editors can not cause external code to be executed. |
|
3 Bug fixes |
Fixes security issues where:
Please ensure any custom form-not-found.ftl templates in collections are updated to perform correct escaping if they were derived from the previously vulnerable form-not-found.default.ftl. Please ensure that any customised value for the global |
|
3 Bug fixes |
|
|
3 Bug fixes |
Upgrades the version of our internal libraries to account for recent breaking changes in the Facebook Graph API.
This will fix issues that caused Facebook collections to fail to update on certain user accounts,
when crawling more than 200 posts in an hour, and when crawling events posted by a page.
To update existing Facebook collections that may be failing,
the changes noted in deployment instructions below will need to be made on each groovy script.
|
|
3 Bug fixes |
Fixes a bug where ratio to run full or incremental updates was not being applied and only a full update was triggered. |
|
3 Bug fixes |
Fixes a bug for scheduled updates where the 'schedule.incremental_crawl_ratio' parameter was not being respected. |
|
3 Bug fixes |
Upgrades the twitter library to add support for the longer, 280 character tweets. For this to be used, the ConfigurationBuilder object needs to be updated to call "setTweetModeExtended(true)". With the default twitter groovy gather script, this can be done by adding "cb.setTweetModeExtended(true);" immediately after the creation of the new ConfigurationBuilder. |
|
3 Bug fixes |
Fixes a bug in Accessibility Auditor which caused the document audit view to fail when a document contained escaped or unicode characters in their classnames. |
|
3 Bug fixes |
Fixes a bug in Accessibility Auditor which meant urls containing +'s could not be viewed in the audit tool. |
|
3 Bug fixes |
Fixes a bug where the Admin API was passing the comment to the publish hook as multiple arguments where it should have been passing the comment as a single argument. |
|
3 Bug fixes |
Adds time-based reloading of type-caching objects (XStream and Jackson serialisers) to avoid leaking metaspace memory when groovy classes are serialised and reloaded over time. By default, reloading occurs every 10 minutes, and can be configured in modernui.properties. |
|
3 Bug fixes |
Provides an internal configuration option for controlling groovy class reloading. |
|
3 Bug fixes |
Fixed an issue where the user editing interface for a user with no permitted collections would be presented with all collections selected, rather than none. |
|
3 Bug fixes |
Allow groovy servlet filters to abort processing in preFilterResponse by returning null. |
|
3 Bug fixes |
Changes the click tracking endpoint to no longer depend on the referrer. This does result in the click logs no longer containing the referrer URL. |
|
3 Bug fixes |
Fixes an issue where auditing a PDF in Accessibility Auditor could not be rendered. |
|
3 Bug fixes |
To minimise the number of false positives reported by XSS testing tools, JSON endpoints have restricted the JSONP callback to only contain |
|
3 Bug fixes |
Fixes an issue where bin/reports-send-email.pl was not reading profile email configuration options from reporting-email.cfg. |
|
3 Bug fixes |
Fixes an issue where auto completion with partials did not respect the profile scope. |
|
3 Bug fixes |
Fixes an issue with bin/reports-send-email.pl which fails to run. |
|
3 Bug fixes |
Fixes an issue where updates and editing meta collections can fail because historical data for Accessibility Auditor could not be recorded. |
|
3 Bug fixes |
Restores the behavior of update.pl such that the gatherer (e.g. the web crawler) will use the same collection.cfg file that is passed to update.pl. |
|
3 Bug fixes |
Improves the creation of snapshots on empty push collections. |
|
3 Bug fixes |
Disable production of the unused (and potentially large) graph.log file. |
|
3 Bug fixes |
Fixes an issue where instant updates would not work when external metadata was used. |
|
3 Bug fixes |
Fixes a translation that was removed in a previous patch which caused the current license usage not to display correctly. |
|
3 Bug fixes |
Improvements to Push collections:
|
|
3 Bug fixes |
Fixes an issue with Facebook collections preventing some posts from being gathered if a post or comment caused an error. Includes the full fix which was missing from patch 15.10.0.14. |
|
3 Bug fixes |
Updates the 'search_user' collection.cfg option such that if '@' is missing from the name '@' followed by the hostname of the machine will be appended to make the from address when sending collection update related emails. |
|
3 Bug fixes |
Fixes a bug where indexed terms within a metadata field could be revealed in DLS enabled collections if both query processor options translucent_DLS and countIndexedTerms where enabled. Note that these options can only be enabled server side. |
|
3 Bug fixes |
Fixes an issue with Facebook collections preventing some posts from being gathered if a post or comment caused an error. |
|
3 Bug fixes |
Add support to crawl Flickr photosets. |
|
3 Bug fixes |
Improves the synonyms API to handle files with windows line endings. |
|
3 Bug fixes |
Fixes a bug in the crawler which caused the crawl to only terminate after the crawl timeout, rather than when the crawler had no more URLs to crawl. |
|
3 Bug fixes |
Updates the location of the Push sync restart API call to be consistent with other state changing calls. The existing API call is kept for compatibility. |
|
3 Bug fixes |
Adds a new Push sync health API calls that never return null for the value of the boolean in the response. The new calls are under /v2/ of the API. |
|
3 Bug fixes |
Fixes a bug where indexing may fail on large indexes. |
|
3 Bug fixes |
Makes a |
|
3 Bug fixes |
Fixes a bug in the Marketing Dashboard where labels in the accessibility auditor chart are overlapping. |
|
3 Bug fixes |
Introduces the ability to customise the jetty access logging configuration with logback. The default behaviour of logging is unchanged, however with this patch it is possible to configure access log compression, filtering and size-based retention policies if desired. See Funnelback version 15.12 "Configuring embedded web server" documentation for details and example of how to customise access logging configurations. |
|
3 Bug fixes |
Fixes a bug where Content Auditor would be incompatible with collections that had facets configured. |
|
3 Bug fixes |
Updates the version of restfb so that custom Facebook gatherers may use a later version of the graph API. |
|
3 Bug fixes |
Adds a |
|
3 Bug fixes |
Fixes a bug in the query processor when promote URLs was used with URLs that contained double dash. |
|
3 Bug fixes |
Fixes a bug in the query processor where sorting on file size did not work. |
|
3 Bug fixes |
Fixes the modern UI search endpoints such that it returns only config for the selected profile rather than for for all profiles. |
|
3 Bug fixes |
Reduces memory requirements for the Jetty web server JVM when Funnelback has many collections. |
|
3 Bug fixes |
Fixes a bug where the query processor would fail when sorting on a metadata class that was not defined on all components of a meta collection. |
|
3 Bug fixes |
Fixes a bug where exporting the top queries to csv on the marketing dashboard was not working in Internet Explorer 11. |
|
3 Bug fixes |
Fixes a bug where exporting the trend alerts listing to csv on the marketing dashboard was not working in Internet Explorer 11. |
|
3 Bug fixes |
Fixes a bug where the update step RecordAccessibilityAuditorHistory would not wait long enough for the API request to report the data to complete, preventing the update from finishing. |
|
3 Bug fixes |
Fixes a bug where very long duplicate titles in the Content Auditor would incorrectly wrap. |
|
3 Bug fixes |
Fixes a bug where the auto completion for the Funnelback documentation in the admin interface would not work correctly. |
|
3 Bug fixes |
Fixes a bug where $GROOVY_COMMAND in the post_update_command collection.cfg option would not be expanded. |
|
3 Bug fixes |
Fixes a bug where Push Replication would re-attempt a connection to master without sleeping if the response from master was not a 200. |
|
3 Bug fixes |
Improves Push collections so that snapshots are marked incomplete during creation to help avoid incomplete snapshots from being used. |
|
3 Bug fixes |
Improves Push Replication performance by enabling compression on more files. |
|
3 Bug fixes |
Fixes an issue with the Push API client, Push Replication and the Push2 store, where the API client was sending duplicate requests. |
|
3 Bug fixes |
Fixes an issue with the indexer option -facet_item_sepchars where metadata for facets was not correctly separated unless the option included the |
|
3 Bug fixes |
Improves stability during query processing where very large packets produced by the query processor will be dropped to protect the Jetty web server from running out of memory. By default query processor packets over 60MB will be dropped. This option is configurable in |
|
3 Bug fixes |
Fixes an issue with per collection logging under the modern UI which handles query processing, where the per collection logs would go to only one collection. |