Funnelback 15.4 patches

Patches

Type Release version Description

3 Bug fixes

Upgrades log4j2 to version 2.17 to fix the security vulnerability where log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints.

3 Bug fixes

Removes invalid XML 1.0 characters from indexed documents.

3 Bug fixes

Fixes security issues where:

  • The default form-not-found template reflected the given form id without proper escaping.

  • The default configuration of URL previewing could be used to expose local log file content.

Please ensure any custom form-not-found.ftl templates in collections are updated to perform correct escaping if they were derived from the previously vulnerable form-not-found.default.ftl.

Please ensure that any customised value for the global default_url_renderer.permitted_url_pattern setting in global.cfg prevents access to file:// URLs.

3 Bug fixes

Fixed an issue where the user editing interface for a user with no permitted collections would be presented with all collections selected, rather than none.

3 Bug fixes

Changes the click tracking endpoint to no longer depend on the referrer. This does result in the click logs no longer containing the referrer URL.

3 Bug fixes

Avoids the output of the DiskAggregator reports phase being overwritten by the DataMiner phase.

3 Bug fixes

Updates the version of restfb so that custom Facebook gatherers may use a later version of the graph API.

3 Bug fixes

Fixes an issue where instant delete tries to kill documents from an index that doesn’t exist causing the update to fail

3 Bug fixes

Fixes an issue where HSTS was not disabled on all end points.

3 Bug fixes

Fixes an issue where the analytics log was always appended to, resulting in a log file that always grew in size.

3 Bug fixes

Fixes an issue where the URL sent in Trend Alerts emails would not be correctly redirected to the Trend Alerts dashboard.

3 Bug fixes

Updates the version of pdfbox used for filtering so that more PDFs can be correctly filtered.

3 Bug fixes

Improves the performance of Content Auditor as well as some faceted navigation queries.

3 Bug fixes

Fixes a bug in the query processor introduced in patch 15.4.1.19. The previous query processor may be slower or cause a OutOfMemoryError on the Jetty web server.

3 Bug fixes

Fixes a bug with promoted URLs where those that were only partial matches would not be promoted to the top position.

3 Bug fixes

Fixes a bug with Trend Alerts links always referring to the ‘Classic UI’ interface. These links will now refer to the collection’s configured search interface.

3 Bug fixes

Fixes an issue with patch 15.4.1.16 which may cause indexing to fail.

3 Bug fixes

Fixes an issue where a space would not be added after a UTF-8 punctuation character.

3 Bug fixes

Fixes a bug with the license usage API which included documents which are not normally searchable e.g duplicate documents and binary documents.

3 Bug fixes

Fixes a bug where spaces may be inserted after a unicode (non ASCII) punctuation character for example 'foo’s'.

3 Bug fixes

Fixes a cross site scripting vulnerability when unescaped HTML was provided to the CheckBlending macro’s linkText attribute.

3 Bug fixes

Fix an issues where content auditor forced faceted navigation config to be read from the live folder rather than from the config folder when it was configured to read from conf.

3 Bug fixes

Fixes issues with Directory gatherer not closing WARC files properly, resulting in broken cached copies.

3 Bug fixes

Corrected the XSS Vulnerability in Anchors.html

3 Bug fixes

Fixes the content auditor URI dropdown which was having issues with a spacing displacement. Adds in a JavaScript function and some minor CSS Changes to resolve the issue.

3 Bug fixes

Fix a bug where reset passwords would be reverted on the next classic administration dashboard password change.

Please note that bin/setup/post_install* scripts are not updated with this patch, and will no longer operate correctly until the next released version of Funnelback is installed.

3 Bug fixes

Fix a bug in the Admin API (affecting the dashboard) where the "top clicks" for a service would not be scoped to the service but would show all URLs for the collection.

3 Bug fixes

Prevents a deadlock from occurring in the admin-api which may cause the marketing UI to not respond.

3 Bug fixes

Ensure crawler’s User-Agent header applies everywhere when setting it collection.cfg

3 Bug fixes

Make the 'all query words trigger' ignore any empty words in it’s match list.

3 Bug fixes

A few improvements for content auditor templates.

3 Bug fixes

Fixes a bug where the HTTPClient library attempts to get user permission to store a cookie by creating a dialogue box.

3 Bug fixes

Fixes a bug where data loss could occur in Push collections if commits failed.

3 Bug fixes

Fixes a bug on Windows where commits could fail if index files in a snapshot are held opened.

3 Bug fixes

Fixes various DLS security flaws.

3 Bug fixes

Fixes a bug where data loss could occur in push on Windows. The problem is more likely to occur when Push is used in a meta collection.

3 Bug fixes

Increases the size of form submissions permitted by the administration interface.

3 Bug fixes

Prevents creation of objects within Freemarker template files to ensure that template editors can not cause external code to be executed.

3 Bug fixes

Fixes security issues where:

  • The default form-not-found template reflected the given form id without proper escaping.

  • The default configuration of URL previewing could be used to expose local log file content.

Please ensure any custom form-not-found.ftl templates in collections are updated to perform correct escaping if they were derived from the previously vulnerable form-not-found.default.ftl.

Please ensure that any customised value for the global default_url_renderer.permitted_url_pattern setting in global.cfg prevents access to file:// URLs.

3 Bug fixes

Fixed an issue where the user editing interface for a user with no permitted collections would be presented with all collections selected, rather than none.

3 Bug fixes

Fixes a bug where data loss could occur in Push collections if commits failed.

3 Bug fixes

Fixes a bug on Windows where commits could fail if index files in a snapshot are held opened.

3 Bug fixes

Fixes various DLS security flaws.

3 Bug fixes

Fixes a bug where data loss could occur in push on Windows. The problem is more likely to occur when Push is used in a meta collection.