Funnelback patch 15.22.0.29

  • Released: 2020-09-25

  • Applies to: v15.22.0

  • Internal reference: RNDSUPPORT-3259, RNDSUPPORT-3258

Description

  • Fixes an issue where sessions are not terminated on logout events triggered by perl pages.

  • Fixes an XXE issue where input to the webdav endpoint could be manipulated to trigger http requests.

Affected files

  • lib/perl/Funnelback/HTML.pm

  • web/webapps/funnelback-admin-api.war

Deployment

  • Stop the Jetty web server.

  • Deploy the provided files on top of an existing install, backing up all replaced files.

  • (15.22.0.11) Run $SEARCH_HOME/bin/setup/start_funnelback_on_boot.pl to regenerate service files from the templates. Please note that this will cause each Funnelback service to be restarted.

  • (15.22.0.11) Reboot the Funnelback server to ensure systemd picks up the changes to the service files.

  • Start the Jetty web server if the server was not restarted