Funnelback 15.24 patches

Patches

Type Release version Description

3 Bug fixes

Prevented the creation of objects within Freemarker template files to ensure that template editors can not cause external code to be executed.

1 New and revised features

Added new server configuration keys to configure the Jetty HTTP connection.

3 Bug fixes

Fixed an issue where the post-update hook script was executed even if the knowledge graph import had failed.

1 New and revised features

Added a new knowledge graph public endpoint /kg/nodes/version?collection=<collectionID>&profile=<profileID> to access the knowledge graph’s last update version.

3 Bug fixes

Fixed an issue where PDF files are not crawled when form interaction is enabled with in-crawl authentication.

3 Bug fixes

Fixed an issue where fetching Facebook comments would cause an infinite loop due to changes within the Facebook endpoints.

3 Bug fixes

Fixed a security vulnerability where jackson-databind might allow remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks.

3 Bug fixes

Fixed a security vulnerability where com.google.oauth-client hasn’t implemented PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps.

3 Bug fixes

Fixed the security vulnerability where Spring Framework RCE may be vulnerable to remote code execution (RCE) via data binding [CVE-2022-22965]

3 Bug fixes

Upgrades log4j2 to version 2.17 to fix the security vulnerability where Apache Log4j2 Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.

3 Bug fixes

Upgrades log4j2 to version 2.15 to fix the security vulnerability where log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints.

3 Bug fixes

Fixes an issue where the edit metadata mappings administration dashboard wouldn’t display counts of detected sources in searchable documents properly.

3 Bug fixes

Search session cookies are now explicitly marked with SameSite=None;Secure to fix functionality in partial integrations.

3 Bug fixes

Fixes an issue where faceted navigation UI would freeze due to numerous API requests done to check templates' backups for the usage of legacy facets.

3 Bug fixes

Fixes a bug with base tags with href not being used correctly within the crawler.

3 Bug fixes

Fixes a bug in which instant updates would always include the start URLs.

3 Bug fixes

Fixes a cross-site scripting vulnerability in Freemarker templates.

3 Bug fixes

Fixes a bug with YouTube collections when no channel id is provided

3 Bug fixes

Reduces logging from build_spelling_index

3 Bug fixes

Fixes a bug in filtering in which outlook files with attachments could not be parsed correctly.

3 Bug fixes

Fixes an issue in which character (RIGHT SINGLE QUOTATION MARK) would be excluded from auto completion.

3 Bug fixes

Fixes a bug in which some autocompletion suggestions would be wrongly excluded from the profiles.

1 New and revised features

Adds support for parsing MSG (application/vnd.ms-outlook) type files.

3 Bug fixes

Improves how meta components are determined, avoiding synchronisation issues in multi-server installations.

3 Bug fixes

Fixes an issue where displaying of numerical/date content in administration dashboard was broken when default browser language was not set to English.

3 Bug fixes

Fixes a bug in which form interactions may not work with config environments.

3 Bug fixes

Fixes a bug in which invalid XML characters in the query could cause queries to fail.

3 Bug fixes

Restores support for the web crawler http_source_host parameter.

3 Bug fixes

Make it possible to send empty parameters in crawler form interactions.

3 Bug fixes

Fixes a bug in which the text "Is it me?" appeared at the end of all query biased summaries.

3 Bug fixes

Fixes a bug that prevented access restrictions set by hostname from working correctly when Funnelback was deployed behind a load-balancer.

3 Bug fixes

Fixes various XML encoding issues which would cause search not to work.

3 Bug fixes

Best Bet option to remove search result if it has the same URL as the best bet is fixed to compare the link URL rather than the URL to display.

3 Bug fixes

Fixes the daemon service broken by patch 15.24.0.26.

3 Bug fixes

The search interface’s pre_process hook point now has the ability to see all profiles for a collection within the data model, where previously is could see only the user’s initially requested profile.

3 Bug fixes

Reduces memory usage when returning search results as XML.

3 Bug fixes

Fixes a bug in PDF filtering when the PDF contains invalid XML characters.

3 Bug fixes

Eliminate a warning emitted when using the delete-collection.pl command line tool

3 Bug fixes

Fixes incremental filecopy gathering to preserve any additional metadata (e.g. metadata added by custom filters)

3 Bug fixes

Fixes a cosmetic issue where the Marketing Dashboard tiles were not aligned correctly.

3 Bug fixes

Fixes an issue where enabling access restriction was blocking acceess to Content Auditor, Accessibility Auditor and SEO Auditor API endpoints

3 Bug fixes

Fixes an issue where searches on collections with sub-searches can fail with a NullPointerException

3 Bug fixes

Fixes an issue where sessions are not terminated on logout events triggered by perl pages.

3 Bug fixes

Fixes an XXE issue where input to the webdav endpoint could be manipulated to trigger http requests.

3 Bug fixes

Fixes an issue with the web-resources interface which could not cope with unusual file names.

3 Bug fixes

Fixes an issue in which Push replication would fail because the client would not renew its authentication token.

3 Bug fixes

Fixes an issue where the tuning UI may freeze due to the large number of API requests being performed.

3 Bug fixes

Fixes an issue in which instant updates would fail due to long log file names.

3 Bug fixes

Improves tuning so that it can run when collections have no documents.

3 Bug fixes

Fixes admin-ui handling of profiles with hyphens in their IDs.

3 Bug fixes

Fixes an issue where Faceted Navigation extra searches may fail because of an index out of bounds error.

3 Bug fixes

Improves logging when extra searches take too long.

3 Bug fixes

Fixes an issue where marketing dashboard refers a non-existing URL when ui.integration_url is not configurable at the profile level.

3 Bug fixes

Fixes ip pseudonymization when Funnelback is behind a load balancer and client ip details are in the x-forwarded-for header.

3 Bug fixes

Reduces memory consumption and improves performance of the purge sessions endpoint.

3 Bug fixes

Avoids an error in the admin search interface when SAML authentication is used.

3 Bug fixes

Adds a tinkey.jar tool for managing password encryption keys.

3 Bug fixes

Fixes an issue where knowledge graph update fails when having numbers as metadata class names.

3 Bug fixes

Fixes a bug in auto-completion widget where custom URL parameters set in params field haven’t been applied.

3 Bug fixes

Fixes a bug where WebDAV client could lock files with long timeouts and not release them.

3 Bug fixes

Fixes a bug where a session was not saved if a user is not set.

3 Bug fixes

Fixes a bug where trend alerts shapes (graphs) haven’t been displayed in marketing dashboard.

3 Bug fixes

Upgrades the version of RestFB library to account for recent breaking changes in the Facebook Graph API.

3 Bug fixes

Fixes an issue where Facebook collections gathered less number of documents due to a pagination issue in the Facebook Graph API.

3 Bug fixes

Facebook Graph API deprecated fields name, link, app_links and description have been removed from the default values of the facebook.page-fields configuration key.

3 Bug fixes

Fixes an XML formatting issue in Faceted Navigation click logs.

3 Bug fixes

Fixes a bug with merging under Push.

3 Bug fixes

Fixes a bug in which white space was not preserved in summaries from anchor text when the -map indexer option is enabled.

3 Bug fixes

The Push API client used in multi server push now has timeouts enabled allowing it to abandon problematic HTTP requests.

3 Bug fixes

Removes the screens for file-manager rule editing which could create security issues

3 Bug fixes

Fixes an issue where support packages could contain unintended files

3 Bug fixes

Fixes an issue where the running Funnelback jetty web server could retain permissions via supplemental groups after startup

3 Bug fixes

Limits an administration CGI script to redirect only within the Funnelback administration interface as intended

3 Bug fixes

Removes the unused administration debug.cgi script which reflected input parameters without proper escaping

3 Bug fixes

Fixes a bug where a horizontal display of columns in auto-completion dropdown doesn’t work.

3 Bug fixes

Fixes a bug where insecure operation on CSS files list was performed when CSS file was exposed via the same domain as auto-completion widget but different port.

3 Bug fixes

Fixes an issue where the push API failed to start up when using SAML authentication.

3 Bug fixes

Fixes an issue where concurrently encrypting passwords for the first time could create multiple master keysets but store only one, remaining encrypted passwords could not subsequently be decrypted.

3 Bug fixes

Fixes an issue where a NullPointerException is sometimes thrown when using the country name Curator trigger.

3 Bug fixes

Fixes an issue where Filecopier would sometimes log passwords.

3 Bug fixes

Fixes an issue where Knowledge Graph groovy scripts are not executed when they are defined at the profile preview level.

3 Bug fixes

Fixes an issue where the Knowledge Graph class CsvImporterNeo4j does not create nodes inside Neo4J when executed externally.

3 Bug fixes

Fixes an issue where Knowledge Graph API does not work when a JDBC driver is specified for the session database.

3 Bug fixes

Fixes a bug in which uploading configuration files in the administration dashboard stopped working.