Funnelback 15.2 patches

Patches

Type Release version Description

3 Bug fixes

Upgrades log4j2 to version 2.17 to fix the security vulnerability where log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints.

3 Bug fixes

Prevents creation of objects within Freemarker template files to ensure that template editors can not cause external code to be executed.

3 Bug fixes

Fixes security issues where:

  • The default form-not-found template reflected the given form id without proper escaping.

  • The default configuration of URL previewing could be used to expose local log file content.

Please ensure any custom form-not-found.ftl templates in collections are updated to perform correct escaping if they were derived from the previously vulnerable form-not-found.default.ftl.

Please ensure that any customised value for the global default_url_renderer.permitted_url_pattern setting in global.cfg prevents access to file:// URLs.

3 Bug fixes

Fixed an issue where the user editing interface for a user with no permitted collections would be presented with all collections selected, rather than none.

3 Bug fixes

Changes the click tracking endpoint to no longer depend on the referrer. This does result in the click logs no longer containing the referrer URL.

3 Bug fixes

Fixes an issue where auto completion with partials did not respect the profile scope.

3 Bug fixes

Fixes a cross site scripting vulnerability when unescaped HTML was provided to the CheckBlending macro’s linkText attribute.

3 Bug fixes

Corrected the XSS Vulnerability in Anchors.html

3 Bug fixes

Fixes a bug where data loss could occur in Push collections if commits failed.

3 Bug fixes

Fixes a bug on Windows where commits could fail if index files in a snapshot are held opened.

3 Bug fixes

Fixes various DLS security flaws.

3 Bug fixes

Fixes a bug where data loss could occur in push on Windows. The problem is more likely to occur when Push is used in a meta collection.

3 Bug fixes

Fixes an issue when copying best bets using a match type other than "exact query match".

3 Bug fixes

Fixes a race condition when saving a meta collection configuration on Windows if a component collection is updating in the background.