Funnelback 16.4 patches

Patches

Type Release version Description

3 Bug fixes

Fixed an issue where the environment was not detected correctly in the configuration, resulting in configuration key values to revert to the default value.

3 Bug fixes

Fixed an issue with client-based APIs where incorrect permissions were returned.

3 Bug fixes

Fixed an issue with the IncludeUrl Freemarker macro that prevented some relative links from being converted to absolute links.

Added a new option convertRelativeRequiresSpace to the Freemarker IncludeUrl macro that expects a space between HTML attributes while converting relative URLs into absolute ones.

The extraction of relative links now follows the W3C standard regarding the validity of HTML pages.

4 Important changes

Change client-based APIs to return what the user has access to based on the clientId rather than just reading the resources role.

3 Bug fixes

Fixed an issue that prevented internal documentation within the administration dashboard from displaying in some circumstances.

3 Bug fixes

Fixed an issue that caused administration dashboard labels to display intermittently.

3 Bug fixes

Fixed an issue where the Freemarker template upgrader incorrectly upgraded custom variables named metaData.

3 Bug fixes

Fixed an issue where trend alerts notifications were not generated.

3 Bug fixes

Fixed an issue preventing the correct export of content auditor and accessibility auditor documents in CSV format.

3 Bug fixes

Fixed an issue where fetching Facebook comments would cause an infinite loop due to changes within the Facebook endpoints.

3 Bug fixes

Fixed a security vulnerability where jackson-databind might allow remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks.

3 Bug fixes

Fixed a security vulnerability where com.google.oauth-client hasn’t implemented PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps.

3 Bug fixes

Fixed the security vulnerability where Spring Framework RCE may be vulnerable to remote code execution (RCE) via data binding [CVE-2022-22965]

3 Bug fixes

Removed broken administration UI used to configure reporting email as since v16 those settings are configured via results page configuration UI.

3 Bug fixes

Upgrades log4j2 to version 2.17 to fix the security vulnerability where Apache Log4j2 Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.

3 Bug fixes

Upgrades log4j2 to version 2.15 to fix the security vulnerability where log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints.

3 Bug fixes

Fixes an issue where the collection tool would return an error for the index presence check.

3 Bug fixes

Restored access to data reports from the administration dashboard.

3 Bug fixes

Improves access to documentation for individual plugins from extensions administration UI.

3 Bug fixes

Fixes an issue where the edit metadata mappings administration UI wouldn’t display counts of detected sources in searchable documents properly.

3 Bug fixes

Fixes an issue where the tuning results administration UI couldn’t help apply an outcome of the tuning run.

3 Bug fixes

Fixes an issue where perl file manager throws an exception about untainted values when the users try to upload files.

3 Bug fixes

Fixes an issue where perl file manager throws an exception about untainted values when the users try to publish or delete files.

3 Bug fixes

Fixes an issue where rules defined in redirects.cfg wouldn’t work.

3 Bug fixes

Fixes the Admin API side of the create-collection.pl fix released in patch 16.4.0.1.

3 Bug fixes

Fixes create-collection.pl.