Funnelback 15.12 patches

Patches

Type Release version Description

3 Bug fixes

Upgrades log4j2 to version 2.16 to fix the security vulnerability where log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints.

3 Bug fixes

Fixes an issue where sessions are not terminated on logout events triggered by perl pages.

3 Bug fixes

Removes the screens for file-manager rule editing which could create security issues

3 Bug fixes

Fixes an issue where support packages could contain unintended files

3 Bug fixes

Fixes an issue where the running Funnelback jetty web server could retain permissions via supplemental groups after startup

3 Bug fixes

Limits an administration CGI script to redirect only within the Funnelback administration interface as intended

3 Bug fixes

Removes the unused administration debug.cgi script which reflected input parameters without proper escaping

3 Bug fixes

Prevent XSS AngularJS sandbox bypassing injection in Freemarker templates escaped using output formats by inserting zero-width whitespace between consecutive open-curly-brackets.

3 Bug fixes

Prevent XSS AngularJS sandbox bypassing injection in Freemarker templates by inserting zero-width whitespace between consecutive open-curly-brackets.

3 Bug fixes

Prevent XSS AngularJS sandbox bypassing injection in Freemarker templates by inserting zero-width whitespace between consecutive open-curly-brackets.

3 Bug fixes

Improve the performance of the Accessibility Auditor interface by requesting less data.

3 Bug fixes

Fixes an issue where some of the text on the Accessibility Auditor dashboard was showing out of date information.

3 Bug fixes

Improves the query response time when sorting.

3 Bug fixes

Fixes an issue where large (>2GB) index.dt files would cause padre-gs to fail when setting gscopes.

3 Bug fixes

Improves the Accessibility Auditor historical data storage. The data is stored in less space while also being significantly faster when storing and retrieving data. The Accessibility Auditor historical data APIs are also improved to reduce the amount of memory needed to help reduce the chance of 'OutOfMemoryError' exceptions from being thrown. The Accessibility Auditor historical data will be automatically moved to the new storage format when Jetty is restarted (one collection at a time) or on the first Accessibility Auditor historical data API request.

3 Bug fixes

The default timeout for 'push.scheduler.delay-between-meta-dependencies-runs' has been increased to '1200' (20 minutes). This has been increased to reduce the frequency at which Accessibility Auditor historical data is recorded. This option will need to be overridden if meta collections containing push collections need a smaller delay in updating the spelling index and auto completion.

3 Bug fixes

Prevents creation of objects within Freemarker template files to ensure that template editors can not cause external code to be executed.

3 Bug fixes

Fixes a bug where 'FineTune' may crash when 'query_processor_options' is longer than '1000' bytes.

3 Bug fixes

Push slaves will now actively pull down merge/vacuumed generations, rather than waiting for commits to trigger this. This can help solve problems where the slaves will not reduce the number of generations or re-indexes are not pulled down by the slaves.

3 Bug fixes

Fixes security issues where:

  • The default form-not-found template reflected the given form id without proper escaping.

  • The default configuration of URL previewing could be used to expose local log file content.

Please ensure any custom form-not-found.ftl templates in collections are updated to perform correct escaping if they were derived from the previously vulnerable form-not-found.default.ftl.

Please ensure that any customised value for the global default_url_renderer.permitted_url_pattern setting in global.cfg prevents access to file:// URLs.

3 Bug fixes

Improves the performance of the directory gatherer.

3 Bug fixes

Fixes support for sort mode '3' in query completion, allowing 'alpha' to be respected.

3 Bug fixes

parent_group Facebook events field has been removed since it requires escalated permissions. On some Facebook collections, this caused crawling of events to fail.

3 Bug fixes

Provides additional metadata for twitter records specifying if a tweet is a reply and to what it is a reply to. This is made available in the XML under 'isReply', 'inReplyToScreenName', 'inReplyToStatusId', 'inReplyToUserId' and 'inReplyToUrl'.

3 Bug fixes

Upgrades the version of our internal libraries to account for recent breaking changes in the Facebook Graph API. This will fix issues that caused Facebook collections to fail to update on certain user accounts, when crawling more than 200 posts in an hour, and when crawling events posted by a page. To update existing Facebook collections that may be failing, the changes noted in deployment instructions below will need to be made on each groovy script. best_page & parent_page Facebook page fields have been removed since they require escalated permissions.

3 Bug fixes

Fixes an issue where the web crawler parser would time out when parsing large (10MB+) HTML pages.

3 Bug fixes

Updates the search sessions click history to no longer record all metadata into the DB. Search sessions will only record the metadata classes listed in profile.cfg option 'ui.modern.session.search_history.metadata'. By default this is empty, but can be set with a comma separated list of wanted metadata classes for example:

ui.modern.session.search_history.metadata=a,b,c

3 Bug fixes

Fixes a bug where ratio to run full or incremental updates was not being applied and only a full update was triggered.

3 Bug fixes

Fixes a bug for scheduled updates where the 'schedule.incremental_crawl_ratio' parameter was not being respected.

3 Bug fixes

Fixes potential issues introduced by 15.12.0.12 and subsequent patches caused by an incorrect file being included in the patch.

3 Bug fixes

Fixes a bug in Accessibility Auditor which caused the document audit view to fail when a document contained escaped or unicode characters in their classnames.

3 Bug fixes

Fixes a potential indexer crash introduced in 15.12.0.14, and some additional cases where multiple dots could be shown in summaries.

3 Bug fixes

Fixes query biased summaries so that it doesn’t show multiple dots when the original content contains non breaking spaces as the only value within "p" tags.

3 Bug fixes

Increases the maximum query length to 1MB and maximum query nodes to 16384 on Linux only.

3 Bug fixes

Fixes a bug where analytics would skip query logs when the query was run with a gscope that was not all numbers.

3 Bug fixes

Fixes a bug where query processing would not complete if the query contained an isolated colon in it.

3 Bug fixes

Fixes a bug where query processing would not complete if the query contained "%" in it when search sessions are enabled.

3 Bug fixes

Fixes a bug in the "JSONToXML" filter which would produce odd XML when a JSON key was set to "content" e.g. {"content": {…​}}.

3 Bug fixes

Fixes a bug where the Accessibility Auditor overview would fail to display correctly when a certain combination of updates were run in a meta collection.

3 Bug fixes

Cleans up the display of the Accessibility Auditor pages when a site has no failures or all of its failures have been acknowledged.

3 Bug fixes

Fixes a bug where the Admin API was passing the comment to the publish hook as multiple arguments where it should have been passing the comment as a single argument.

3 Bug fixes

Upgrades the twitter library to add support for the longer, 280 character tweets. For this to be used, the ConfigurationBuilder object needs to be updated to call "setTweetModeExtended(true)". With the default twitter groovy gather script, this can be done by adding "cb.setTweetModeExtended(true);" immediately after the creation of the new ConfigurationBuilder.

3 Bug fixes

Fixes a "gscope opstack underflow" error when named gscopes from facets and a gscope1 parameter are combined.

In particular, this could occur when using the automatically generated URL scope gscopes in a facet, and then clicking the 'more' link on a contextual navigation list. Named gscopes are now combined correctly to avoid failing in this case, and the redundant gcope1 parameter in contextual navigation links has been removed.

3 Bug fixes

Fixes an issue which caused the @fb.ExtraSearch Freemarker macro to not return any results.

3 Bug fixes

Prevents Pattern Analyser from failing when reporting-blacklist.cfg queries contain quotes.

3 Bug fixes

Pattern analyser will overwrite rather than append to its log.

3 Bug fixes

Changes the Modern UI sessions such that they no longer use J2EE sessions and always uses the cookie that was set by ui.modern.session.set_userid_cookie. That option is now removed and a cookie is always set only when sessions are enabled. This reduces disk and CPU load.

3 Bug fixes

To support backwards compatibility with some existing implementations, create facets for zero count gscopes.

3 Bug fixes

Fixed an issue where the user editing interface for a user with no permitted collections would be presented with all collections selected, rather than none.

3 Bug fixes

Fixes a bug where the classic admin UI would not be accessible to non locally authenticated users (e.g. ldap) that had a large user .ini file.

3 Bug fixes

Fixes the metamap.cfg documentation page to display the code blocks correctly.

3 Bug fixes

Changes the click tracking endpoint to no longer depend on the referrer. This does result in the click logs no longer containing the referrer URL.

3 Bug fixes

Adds ARIA14 to the Accessibility Auditor and relaxes the requirement for what is considered descriptive text.

3 Bug fixes

Fixes an issue where analytics might fail to update.

3 Bug fixes

Allow groovy servlet filters to abort processing in preFilterResponse by returning null.

3 Bug fixes

Fixes passing Success Criteria being displayed in the Accessibility Auditor when auditing an url.

3 Bug fixes

Adds better support for the gScopesCount map when used with Integer keys rather than the expected String type keys. 15.12 changed the type of this map to use String keys rather than Integer keys.

3 Bug fixes

Removes selectUrl and unselectUrl from the faceted navigation data model as it is not required, toggelUrl or the current URL can be used instead.