Funnelback 15.20 patches

Patches

Type Release version Description

3 Bug fixes

Fixed the security vulnerability where Spring Framework RCE may be vulnerable to remote code execution (RCE) via data binding [CVE-2022-22965]

3 Bug fixes

Upgrades log4j2 to version 2.17 to fix the security vulnerability where Apache Log4j2 Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.

3 Bug fixes

Upgrades log4j2 to version 2.15 to fix the security vulnerability where log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints.

3 Bug fixes

Fixes a cross-site scripting vulnerability in Freemarker templates.

3 Bug fixes

Fixes an issue where sessions are not terminated on logout events triggered by perl pages.

3 Bug fixes

Fixes an XXE issue where input to the webdav endpoint could be manipulated to trigger http requests.

3 Bug fixes

Fixes an issue where Faceted Navigation extra searches may fail because of an index out of bounds error.

3 Bug fixes

Improves logging when extra searches take too long.

3 Bug fixes

Fixes an issue where deleting the collection property from collection.cfg and then deleting the collection itself would delete other configuration data.

3 Bug fixes

Fixes ip pseudonymization when Funnelback is behind a load balancer and client ip details are in the x-forwarded-for header.

3 Bug fixes

Reduces memory consumption and improves performance of the purge sessions endpoint

3 Bug fixes

Upgrades the version of RestFB library to account for recent breaking changes in the Facebook Graph API.

3 Bug fixes

Fixes an issue where Facebook collections gathered less number of documents due to a pagination issue in the Facebook Graph API.

3 Bug fixes

Facebook Graph API deprecated fields name, link, app_links and description have been removed from the default values of the facebook.page-fields configuration key.

3 Bug fixes

Fixes an XML formatting issue in Faceted Navigation click logs.

3 Bug fixes

Fixes a bug in which white space was not preserved in summaries from anchor text when the -map indexer option is enabled.

3 Bug fixes

The Push API client used in multi server push now has timeouts enabled allowing it to abandon problematic HTTP requests.

3 Bug fixes

Removes the screens for file-manager rule editing which could create security issues

3 Bug fixes

Fixes an issue where support packages could contain unintended files

3 Bug fixes

Fixes an issue where the running Funnelback jetty web server could retain permissions via supplemental groups after startup

3 Bug fixes

Limits an administration CGI script to redirect only within the Funnelback administration interface as intended

3 Bug fixes

Removes the unused administration debug.cgi script which reflected input parameters without proper escaping

3 Bug fixes

Fixes a bug where a horizontal display of columns in auto-completion dropdown doesn’t work.

3 Bug fixes

Fixes a bug where insecure operation on CSS files list was performed when CSS file was exposed via the same domain as auto-completion widget but different port.

3 Bug fixes

Fixes a bug introduced in the previous patch in which uploading configuration files in the administration dashboard stopped working.

3 Bug fixes

Prevents XSS vulnerabilities found in the classic administration dashboard.

3 Bug fixes

Move Funnelback service pid files to /var/run which is required by OS updates to systemd.

3 Bug fixes

Include some additional metadata in service template files.

3 Bug fixes

Fixed an issue where the crawler would follow <meta http-equiv="refresh"> redirects that appeared within html comments. Redirects inside comments are now ignored.

3 Bug fixes

Improves support for running faceted navigation on extra searches.

3 Bug fixes

Adds method 'getEffectiveExtraSearchName()' to the search transaction which gets the name of the extra search this search should be considered to be under. The result of this should be used when modifying a particular extra search. As Funnelback may create extra searches under an existing search, for example for faceted navigation, this could be used to work out if the search transaction should be modified.

3 Bug fixes

Fixes errors in the sorting of faceted navigation values, which could cause a HTTP 500 error code.

3 Bug fixes

Prevent XSS AngularJS sandbox bypassing injection in Freemarker templates escaped using output formats by inserting zero-width whitespace between consecutive open-curly-brackets.

3 Bug fixes

Fixes a bug introduced in 15.20.0.16, in which all paths in XML would be considered as document titles.

3 Bug fixes

Fixes a bug introduced in 15.20.0.16. Empty XML elements mapped as the document URL are now ignored.

3 Bug fixes

Fixes a memory leak by disabling the conscrypt SSL provider.

3 Bug fixes

Prevent XSS AngularJS sandbox bypassing injection in Freemarker templates by inserting zero-width whitespace between consecutive open-curly-brackets.

3 Bug fixes

Please note, this patch was retracted due to an incomplete solution causing template errors when used with certain Freemarker escaping modes. The 15.20.0.19 patch, which addresses this issue, should be used instead.

3 Bug fixes

Improves the task-picker such that it can load dependencies from custom 'jar' files located '$SEARCH_HOME/lib/java/task-picker/'.

3 Bug fixes

Fixes a bug in which spaces would be removed from query biased summaries which came from 'cdata' sections of XML.

3 Bug fixes

⚠ Similar to version 15.22.0 of Funnelback, The padre indexer XML parser is now less lenient when indexing numeric, date and geo location metadata. Previously, elements that were not correctly closed, such as <v>123</oops>, could have been mapped to //v. In this version of Funnelback, such mappings will no longer work. This is inline with how other metadata is mapped.</v>

3 Bug fixes

Prevent XSS AngularJS sandbox bypassing injection in Freemarker templates by inserting zero-width whitespace between consecutive open-curly-brackets.

3 Bug fixes

Fixes an issue where relationships labels in the knowledge graph widget have been created incorrectly.

3 Bug fixes

Fixes an issue where sorting of related entities has not been applied based on knowledge graph template configuration.

3 Bug fixes

Fixed an issue where a double request to search endpoint in the knowledge graph widget has been sent on pressing enter key when search input is focused.

3 Bug fixes

Improve the performance of the Accessibility Auditor interface by requesting less data.

3 Bug fixes

Fixes an issue where some of the text on the Accessibility Auditor dashboard was showing out of date information.

3 Bug fixes

Fixes an issue where the Accessibility Auditor dashboard would not generate the thumbnail screenshots for each domain.

3 Bug fixes

Fixes the web crawler so that it uses the 'crawler.user_agent' collection.cfg option.

3 Bug fixes

Reduces the memory needed by the Accessibility Auditor history APIs.

3 Bug fixes

Fixes an issue where facet navigation URLs in knowledge graph widget search view were double prefixed with a domain.

3 Bug fixes

Fixes an issue where knowledge graph public /type and /rels APIs have not been converted to absolute URLs.

3 Bug fixes

Fixes an issue where results URLs from filecopy collection have not been resolved correctly due to their relative syntax. New knowledge graph widget parameter urlPrefix has been added to allow converting relative results URLs to absolute ones.

3 Bug fixes

Improves the query response time when sorting.

3 Bug fixes

Improves the query response time when sorting by title.

3 Bug fixes

Fixes an issue where large (>2GB) index.dt files would cause padre-gs to fail when setting gscopes.

3 Bug fixes

Fixes an issue where the browser was displaying a mixed-content error when the Knowledge Graph API sometimes returned URLs with mixed protocols.

3 Bug fixes

Fixes an issue where the Knowledge Graph widget returned a cross-origin resource sharing policy error. The Knowledge Graph API now supplies Access-Control-Allow-Origin headers.

3 Bug fixes

Fixes an issue where upgrading user from an older version of Funnelback would override sec.faceted-navigation from yes to no.

3 Bug fixes

Fixes an issue where the WebDAV endpoint would not re-prompt for HTTP Basic authentication when invalid credentials were provided, which could lead to a redirect loop in the Cyberduck WebDAV client.

3 Bug fixes

Fixes an issue where the knowledge-graph.max_heap_size was not applied when updating knowledge graph.

3 Bug fixes

Fixes an issue where the update could fail during the record Accessibility Auditor history steps after migrating a collection from an older version.

3 Bug fixes

Fixes an issue where the deprecated wcag check (replaced by Accessibility Auditor) could cause the update to fail because the 'wcag-journal.log' file could not be found.

3 Bug fixes

Fixes an issue where jetty stopped logging after deploying knowledge-graph.

3 Bug fixes

Fixes an issue where Facebook collections did not update due to the recent Graph API changes.

3 Bug fixes

Fixes an issue in the Knowledge Graph widget where the value of the targetUrl query parameter would be truncated if it contained a '?' character.

3 Bug fixes

The API fields that are requested from Facebook can now be specified in collection.cfg using the facebook.page-fields, facebook.post-fields and facebook.event-fields configuration keys. This should enable future changes to Facebook APIs to be handled without requiring further Funnelback patches.

3 Bug fixes

Improves how padre query biased summaries are generated such that spaces are added based on the source document. This prevents issues where extra spaces were added or removed.

3 Bug fixes

Fixes a bug where Directory collections would strip some unicode characters.

3 Bug fixes

Disable HTTP/2 in underlying HTTP library which caused socket timeout errors during crawling

3 Bug fixes

Fixes an issue where jetty would terminate on invalid 'index.autoc' (query completion) files.

3 Bug fixes

Fixed an issue where some config settings (e.g. ui.modern.search_link) began returning null when empty-string was expected in the template data model.

3 Bug fixes

Scoped search triggered in knowledge graph UI to results existed in graph database

3 Bug fixes

Ensured initial targetUrl exists in graph database when browsing knowledge graph UI

3 Bug fixes

Ensured collection parameter is set correctly in knowledge graph UI when knowledge graph API is returning error

3 Bug fixes

Fixed setting of knowledge graph labels in administration dashboard for relationships with undirected direction

3 Bug fixes

Fixed validation for detecting duplicated knowledge graph labels in administration dashboard for "metadata" category

3 Bug fixes

Added missing translations keys and side help for knowledge graph updates in task queue administration dashboard

3 Bug fixes

Fixed copy tool in knowledge graph relationships administration dashboard to create relationship with unique and valid name

3 Bug fixes

Prevented from creating self-reference "mention" relationship in knowledge graph

3 Bug fixes

Makes the funnelback-graph service run as the Funnelback user on Unix.

3 Bug fixes

Fixes an issue that prevents the funnelback-graph service from restarting when requested.

3 Bug fixes

Fixes an issue that prevents scheduled tasks from appearing in the Administration interface on Windows Server 2016.