|
1 | 1 | # Changelog |
2 | 2 |
|
| 3 | +### (2025-08-28) What's new in **ROR 1.66.0** |
| 4 | +<details> |
| 5 | +<summary><strong>🚨 Security Fix</strong> (KBN) <a href="https://nvd.nist.gov/vuln/detail/CVE-2025-7339">CVE-2025-7339</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2025-7783">CVE-2025-7783</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2025-54419">CVE-2025-54419</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2025-9288">CVE-2025-9288</a></summary> |
| 6 | +Addresses multiple third-party library vulnerabilities including: CVE-2025-7339 (on-headers middleware header modification), CVE-2025-7783 (form-data library HTTP parameter pollution), CVE-2025-54419 (Node-SAML authentication bypass), and CVE-2025-9288 (sha.js input validation). These updates prevent potential security exploits in dependent components. |
| 7 | +</details> |
| 8 | +<details> |
| 9 | +<summary><strong>🐞 Security Fix</strong> (KBN) <a href="https://forum.readonlyrest.com/t/hidden-functions-are-available-through-the-search/2840/2">Prevented visibility of hidden functions through Kibana UI search</a></summary> |
| 10 | +Fixes a security issue where hidden functions that should be restricted were discoverable through Kibana's search interface. This ensures that only authorized functions are visible to users based on their access permissions. |
| 11 | +</details> |
| 12 | +<details> |
| 13 | +<summary><strong>🚨Security Fix</strong> (ES) Removed internal failure details from error responses to prevent unintended information disclosure</summary> |
| 14 | +Enhances security by eliminating sensitive internal error information from API responses. This prevents potential attackers from gathering system intelligence through error messages while maintaining necessary debugging information for administrators. |
| 15 | +</details> |
| 16 | +<details> |
| 17 | +<summary><strong>🧐Enhancement</strong> (ES) Refined user metadata selection logic during login to prioritize matched blocks associated with a defined Kibana index</summary> |
| 18 | +Improves login behavior by optimizing how user metadata is selected, ensuring that blocks with explicitly defined Kibana indices are prioritized over generic blocks for better access control consistency. |
| 19 | +</details> |
| 20 | +<details> |
| 21 | +<summary><strong>🧐Enhancement</strong> (ES) Patching: improved handling of the consent flag when provided via environment variables for more reliable configuration</summary> |
| 22 | +Enhances configuration reliability by improving how consent flags are processed when set through environment variables, ensuring consistent behavior across different deployment scenarios. |
| 23 | +</details> |
| 24 | +<details> |
| 25 | +<summary><strong>🐞 Fix</strong> (KBN) Resolved issue with index deletion in <strong>Index Management</strong> via Kibana UI</summary> |
| 26 | +Fixes a bug that prevented proper index deletion operations through Kibana's Index Management interface when using ReadOnlyRest security controls. |
| 27 | +</details> |
| 28 | +<details> |
| 29 | +<summary><strong>🐞 Fix</strong> (KBN) Corrected document display in <strong>Discover</strong> when indices are defined in the user ACL block</summary> |
| 30 | +Addresses an issue where document visibility in Kibana's Discover tab was inconsistent when indices were configured through user ACL blocks, ensuring proper document display based on access permissions. |
| 31 | +</details> |
| 32 | +<details> |
| 33 | +<summary><strong>🐞 Fix</strong> (KBN) Fixed an error preventing <strong>Spaces</strong> from being deleted in Kibana <strong>9.1.0</strong></summary> |
| 34 | +Resolves a compatibility issue with Kibana 9.1.0 where Space deletion operations were failing due to conflicts with ReadOnlyRest's security enforcement mechanisms. |
| 35 | +</details> |
| 36 | +<details> |
| 37 | +<summary><strong>🐞 Fix</strong> (KBN) Corrected handling of <code>readonlyrest_kbn.whitelistedPaths</code> in <code>kibana.yml</code> when <code>xpack.security.enabled: true</code></summary> |
| 38 | +Fixes configuration parsing for whitelisted paths when X-Pack security is enabled, ensuring that path exclusions work correctly alongside Elasticsearch's native security features. |
| 39 | +</details> |
| 40 | +<details> |
| 41 | +<summary><strong>🐞 Fix</strong> (KBN) Resolved startup issues for Kibana versions <strong>7.9.0 → 7.10.2</strong></summary> |
| 42 | +Addresses compatibility problems that caused startup failures in older Kibana versions (7.9.0 to 7.10.2), ensuring backward compatibility and smooth operation across supported Kibana releases. |
| 43 | +</details> |
| 44 | +<details> |
| 45 | +<summary><strong>🐞 Fix</strong> (KBN) Fixed report generation when <code>xpack.security.enabled: true</code> and <code>xpack.encryptedSavedObjects.encryptionKey</code> is set in Kibana <strong>8.19.x</strong> and <strong>9.1.x</strong></summary> |
| 46 | +Resolves report generation failures in specific Kibana versions when both X-Pack security and encrypted saved objects are configured, ensuring proper functionality of reporting features with security enhancements. |
| 47 | +</details> |
| 48 | + |
3 | 49 | ### (2025-07-15) What's new in **ROR 1.65.1** |
4 | 50 | <details> |
5 | 51 | <summary><strong>🚀New</strong> (KBN) 9.1.1, 9.1.0, 9.0.5, 9.0.4, 8.19.2, 8.19.1, 8.19.0, 8.18.5, 8.18.4, 8.17.10, 8.17.9 support</summary> |
|
0 commit comments