Funnelback 15.6 patches

Patches

Type Release version Description

3 Bug fixes

Upgrades log4j2 to version 2.17 to fix the security vulnerability where Apache Log4j2 Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.

3 Bug fixes

Prevents creation of objects within Freemarker template files to ensure that template editors can not cause external code to be executed.

3 Bug fixes

Fixes security issues where:

  • The default form-not-found template reflected the given form id without proper escaping.

  • The default configuration of URL previewing could be used to expose local log file content.

Please ensure any custom form-not-found.ftl templates in collections are updated to perform correct escaping if they were derived from the previously vulnerable form-not-found.default.ftl.

Please ensure that any customised value for the global default_url_renderer.permitted_url_pattern setting in global.cfg prevents access to file:// URLs.

3 Bug fixes

Fixed an issue where the user editing interface for a user with no permitted collections would be presented with all collections selected, rather than none.

3 Bug fixes

Changes the click tracking endpoint to no longer depend on the referrer. This does result in the click logs no longer containing the referrer URL.

3 Bug fixes

Avoids the output of the DiskAggregator reports phase being overwritten by the DataMiner phase.

3 Bug fixes

Updates the version of restfb so that custom Facebook gatherers may use a later version of the graph API.

3 Bug fixes

Fixes a bug in the query processor where sorting on file size did not work.

3 Bug fixes

Fixes an issue where instant delete tries to kill documents from an index that doesn’t exist causing the update to fail

3 Bug fixes

Fixes an issue where HSTS was not disabled on all end points.

3 Bug fixes

Fixes an issue where the analytics log was always appended to, resulting in a log file that always grew in size.

3 Bug fixes

Fixes an issue where the URL sent in Trend Alerts emails would not be correctly redirected to the Trend Alerts dashboard.

3 Bug fixes

Updates the version of pdfbox used for filtering so that more PDFs can be correctly filtered.

3 Bug fixes

Improves the performance of Content Auditor as well as some faceted navigation queries.

3 Bug fixes

Fixes a bug in the query processor introduced in patch 15.6.0.23. The previous query processor may be slower or cause a OutOfMemoryError on the Jetty web server.

3 Bug fixes

Fixes a bug with promoted URLs where those that were only partial matches would not be promoted to the top position.

3 Bug fixes

Fixes a bug with Trend Alerts links always referring to the ‘Classic UI’ interface. These links will now refer to the collection’s configured search interface.

3 Bug fixes

Fixes an issue with patch 15.6.0.20 which may cause indexing to fail.

3 Bug fixes

Fixes an issue where a space would not be added after a UTF-8 punctuation character.

3 Bug fixes

Fixes a bug with the license usage API which included documents which are not normally searchable e.g duplicate documents and binary documents.

3 Bug fixes

Fixes acknowledgements of nested issues in Accessibility Auditor. The acknowledgement popup that opened was the one from the outer issue, rather than the inner one.

3 Bug fixes

Fixes a bug where spaces may be inserted after a unicode (non ASCII) punctuation character for example 'foo’s'.

3 Bug fixes

Fixes a bug where administrator users with collection restrictions would have thier user configuration files corrupted when creating new collections.

3 Bug fixes

Fixes an issue where incorrect profile parameter is passed to Marketing Dashboard’s feature pages when user views the Admin Home Page for the first time or user’s cookie has been cleared or expired.

3 Bug fixes

Fixes an issue where accessibility auditor acknowledgements could be incorrectly treated as not-editable.

3 Bug fixes

Fixes an issue where very large images could be uploaded to /s/scale, consuming all memory on the server. Note that a default size limit of 1MB is now applied, and can be configured with the default_image_fetcher.max_source_image_bytes global.cfg setting where implementations require a larger value.

3 Bug fixes

Fixes an issue where the list of available profiles is incorrect and incorrect profile parameter is passed to Marketing Dashboard’s feature pages when user has access to only one profile listed in *.ini file under key `profile = `.

3 Bug fixes

Fixes a cross site scripting vulnerability when unescaped HTML was provided to the CheckBlending macro’s linkText attribute.

3 Bug fixes

Fix an issues where content auditor forced faceted navigation config to be read from the live folder rather than from the config folder when it was configured to read from conf.

3 Bug fixes

Corrected the XSS Vulnerability in Anchors.html

3 Bug fixes

Fixes the content auditor URI dropdown which was having issues with a spacing displacement. Adds in a JavaScript function and some minor CSS Changes to resolve the issue.

3 Bug fixes

Fixes an issue with historical reporting in the Accessibility Auditor, where the chart may not be displayed when scoped to a specific portfolio.

3 Bug fixes

Fixes an issue where padre-i4u may fail if a URL occurs, non killed, in multiple indexes.

3 Bug fixes

Fix a bug where reset passwords would be reverted on the next classic administration dashboard password change.

Please note that bin/setup/post_install* scripts are not updated with this patch, and will no longer operate correctly until the next released version of Funnelback is installed.

3 Bug fixes

Fix a bug in marketing dashboard where the link to accessibility auditor report in left side navigation menu is not available.

3 Bug fixes

Applies the custom servlet filter functionality to push-api requests as well as public-ui ones. This allows additional push requests to be manipulated before Funnelback processes them, and output to be captured for audit logging or other purposes.

https://docs.funnelback.com/custom_servlet_filter_hook.html documents the general mechanisim, however this patch changes some details, in particular:

  • The GroovyServletFilterHook class has moved to com.funnelback.springmvc.web.filter.GroovyServletFilterHook allowing it to be shared

  • The hook class now defines an additional public ServletResponse preFilterRequest(ServletRequest request) method

  • The class com.funnelback.publicui.search.web.filters.utils.FilterParameterHandling should no longer be used (will be unavailable in 15.8)

To use the mechanisim with the push-api, a suitable groovy script must be created at $SEARCH_HOME/conf/$COLLECTION_NAME/GroovyServletFilterHookPushImpl.groovy

3 Bug fixes

Fix a bug in the Admin API (affecting the dashboard) where the "top clicks" for a service would not be scoped to the service but would show all URLs for the collection.

3 Bug fixes

Prevents a deadlock from occurring in the admin-api which may cause the marketing UI to not respond.

3 Bug fixes

Ensure crawler’s User-Agent header applies everywhere when setting it in collection.cfg

3 Bug fixes

Correct URL to view SEO auditor page in content auditor.

3 Bug fixes

Fixes a bug the naming of start_time files which caused all non-push collections to display incorrect last update times

3 Bug fixes

Fixes a bug where the HTTPClient library attempts to get user permission to store a cookie by creating a dialogue box.