Prepare for 4.13.0 (#5193)

CHANGELOG.md

@@ -1,3 +1,61 @@
+## Fleet 4.13.0 (Apr 18, 2022)
+
+### This is a security release.
+
+* **Security**: Fix several post-authentication authorization issues. Only Fleet Premium users that
+  have team users are affected. Fleet Free users do not have access to the teams feature and are
+  unaffected. See the following security advisory for details: https://github.com/fleetdm/fleet/security/advisories/GHSA-pr2g-j78h-84cr
+
+* Improve performance of software inventory on Windows hosts.
+
+* Add `basic​_auth.username` and `basic_auth.password` [Prometheus configuration options](https://fleetdm.com/docs/deploying/configuration#prometheus). The `GET
+/metrics` API route is now disabled if these configuration options are left unspecified. 
+
+* Fleet Premium: Add ability to specify a team specific "Destination URL" for policy automations.
+This allows the user to configure Fleet to send a webhook request to a unique location for
+policies that belong to a specific team. Documentation on what data is included the webhook
+request and when the webhook request is sent can be found here on [fleedm.com/docs](https://fleetdm.com/docs/using-fleet/automations#vulnerability-automations)
+
+* Add ability to see the total number of hosts with a specific macOS version (ex. 12.3.1) on the
+**Home > macOS** page. This information is also available via the [`GET /os_versions` API route](https://fleetdm.com/docs/using-fleet/rest-api#get-host-os-versions).
+
+* Add ability to sort live query results in the Fleet UI.
+
+* Add a "Vulnerabilities" column to **Host details > Software** page. This allows the user see and search for specific vulnerabilities (CVEs) detected on a specific host.
+
+* Update vulnerability automations to fire anytime a vulnerability (CVE), that is detected on a
+  host, was published to the
+  National Vulnerability Database (NVD) in the last 30 days, is detected on a host. In previous
+  versions of Fleet, vulnerability automations would fire anytime a CVE was published to NVD in the
+  last 2 days.
+
+* Update the **Policies** page to ask the user to wait to see accurate passing and failing counts for new and recently edited policies.
+
+* Improve API-only (integration) users by removing the requirement to reset these users' passwords
+  before use. Documentation on how to use API-only users can be found here on [fleetdm.com/docs](https://fleetdm.com/docs/using-fleet/fleetctl-cli#using-fleetctl-with-an-api-only-user).
+
+* Improve the responsiveness of the Fleet UI by adding tablet screen width support for the **Software**,
+  **Queries**, **Schedule**, **Policies**, **Host details**, **Settings > Teams**, and **Settings > Users** pages.
+
+* Add Beta support for integrating with Jira to automatically create a Jira issue when a
+  new vulnerability (CVE) is detected on a host in Fleet. 
+
+* Add Beta support for Fleet Desktop on Windows. Fleet Desktop allows the device user to see
+information about their device. To add Fleet Desktop to a Windows device, first add the
+`--fleet-desktop` flag to the `fleectl package` command to generate a Fleet-osquery installer that
+includes Fleet Desktop. Then, open this installer on the device.
+
+* Fix a bug in which downloading [Fleet's vulnerability database](https://github.com/fleetdm/nvd) failed if the destination directory specified
+was not in the `tmp/` directory.
+
+* Fix a bug in which the "Updated at" time was not being updated for the "Mobile device management
+(MDM) enrollment" and "Munki versions" information on the **Home > macOS** page.
+
+* Fix a bug in which Fleet would consider Docker network interfaces to be a host's primary IP address.
+
+* Fix a bug in which tables in the Fleet UI would present misaligned buttons.
+
+* Fix a bug in which Fleet failed to connect to Redis in standalone mode.
 ## Fleet 4.12.1 (Apr 4, 2022)
 
 * Fix a bug in which a user could not log in with basic authentication. This only affects Fleet deployments that use a [MySQL read replica](https://fleetdm.com/docs/deploying/configuration#my-sql).

changes/activities-rbac

@@ -1 +0,0 @@
-* Restrict non-global user from access to activities

changes/fix-policies-in-standard-query-library

@@ -1 +0,0 @@
-* Fix `platform` field for policies in `docs/01-Using-Fleet/standard-query-library/standard-query-library.yml`.

changes/issue-2322-authd-metrics

@@ -1 +0,0 @@
-* Add HTTP Basic Auth to Fleet's `/metrics` endpoint. (If credentials are not set, the `/metrics` endpoint is disabled.)

changes/issue-2603-deprecate-global-in-routes

@@ -1 +0,0 @@
-* Introduce new API version (`/api/2022-04/...`, aliased as `/api/latest/...`) to introduce breaking changes that remove `/global` sections from the paths (the deprecated API is still available under `/api/v1/...`)

changes/issue-2814-export-hosts-as-csv

@@ -1 +0,0 @@
-* Add ability to export host as CSV from the UI

changes/issue-2825-os-versions

@@ -1 +0,0 @@
-* Add os versions endpoint to retrieve host counts by os version

changes/issue-2936-ui-includes-jira-integration

@@ -1 +0,0 @@
-* Admin users can set jira integrations and software vulnerabilities to jira in the UI

changes/issue-3269-policy-automation-team

@@ -1 +0,0 @@
-- Added policy automation for teams

changes/issue-3300-policies-not-yet-accurate

@@ -1 +0,0 @@
-* Indicate if a policy has not completed an initial run

changes/issue-3502-tables

@@ -1 +0,0 @@
-* Update UI tables with responsive columns to 768px screen width

changes/issue-3573-remove-enroll-secrets-from-settings-page

@@ -1 +0,0 @@
-* Global enroll secrets not viewable on the settings page (viewable and modifable on Manage Hosts page and Team Details page only)

changes/issue-4132-software-messaging

@@ -1 +0,0 @@
-* Improve software tables messages for missing software information

changes/issue-4214-vulnerabilities-column

@@ -1 +0,0 @@
-* Host details page software table now has search by vulnerabilities and a vulnerabilities column

changes/issue-4261-software-query

@@ -1 +0,0 @@
-* Improve performance of software inventory query on Windows Domain Controllers.

changes/issue-4262-macOS-versions

@@ -1 +0,0 @@
-* Add macOS versions card to home page

changes/issue-4521-test-jira-settings-on-config-save

@@ -1 +0,0 @@
-* Test the enabled Jira integration settings when saving the configuration.

changes/issue-4537-accessibility-through-tabbing

@@ -1 +0,0 @@
-* Users can tab through the apps clickable elements

changes/issue-4540-remove-password-reset-for-api-only-users

@@ -1 +0,0 @@
-* Remove requirement for forced password reset for new API-only users

changes/issue-4572-sort-live-queries

@@ -1 +0,0 @@
-* Users can sort all columns of live queries and live policies in the UI

changes/issue-4734-aggregated-stats-update

@@ -1,2 +0,0 @@
-* Fix updated_at in aggregated stats not being updated. Affects counts_updated_at
-  returned from /api/v1/fleet/macadmins endpoint

changes/issue-4754-docker-interface

@@ -1 +0,0 @@
-* Don't consider Docker network interfaces for primary IP on hosts.

changes/issue-4792-download-tmp

@@ -1 +0,0 @@
-* Fix issue when renaming temporary files to another filesystem

changes/issue-4799-fix-table-headers

@@ -1 +0,0 @@
-* Fix table headers showing or misaligned when selection is active

changes/issue-4807-fleet-desktop-windows

@@ -1 +0,0 @@
-* Add beta support for Fleet Desktop on Windows.

changes/issue-4846-add-jira-integrations-config

@@ -1 +0,0 @@
-* Add new Jira integrations configuration support (_alpha_ feature).

changes/issue-4847-queue-jira-ticket-creation-jobs

@@ -1 +0,0 @@
-* Queue Jira ticket creation jobs when new vulnerabilities are found and a Jira integration is enabled.

changes/issue-4864-enter-submits-form

@@ -1 +0,0 @@
-* Pressing enter submits forms app-wide

changes/issue-4879-extend-vuln-period

@@ -1 +0,0 @@
-* Extend the maximum age for a vulnerability to be considered recent to 30 days instead of 2.

changes/issue-5048-detect-noperm-redis-standalone

@@ -1 +0,0 @@
-* Support Redis in standalone mode when CLUSTER commands are disabled via ACL.

changes/issue-GHSA-pr2g-j78h-84cr

@@ -1,3 +0,0 @@
-* Fix access control issues with "user" endpoints.
-* Fix access control issues with "pack" endpoints.
-* Fix access control issues with "software" endpoints.

changes/issue-jira-loadtest-add-recent-vuln-max-age

@@ -1 +0,0 @@
-* Add the `vulnerabilities.recent_vulnerability_max_age` configuration option.

charts/fleet/Chart.yaml

@@ -4,8 +4,8 @@ name: fleet
 keywords:
   - fleet
   - osquery
-version: v4.12.1
+version: v4.13.0
 home: https://github.com/fleetdm/fleet
 sources:
   - https://github.com/fleetdm/fleet.git
-appVersion: v4.12.1
+appVersion: v4.13.0

charts/fleet/values.yaml

@@ -2,7 +2,7 @@
 # All settings related to how Fleet is deployed in Kubernetes
 hostName: fleet.localhost
 replicas: 3 # The number of Fleet instances to deploy
-imageTag: v4.12.1 # Version of Fleet to deploy
+imageTag: v4.13.0 # Version of Fleet to deploy
 createIngress: true # Whether or not to automatically create an Ingress
 ingressAnnotations: {} # Additional annotation to add to the Ingress
 podAnnotations: {} # Additional annotations to add to the Fleet pod

infrastructure/dogfood/terraform/aws/variables.tf

@@ -56,7 +56,7 @@ variable "database_name" {
 
 variable "fleet_image" {
   description = "the name of the container image to run"
-  default     = "fleetdm/fleet:v4.12.1"
+  default     = "fleetdm/fleet:v4.13.0"
 }
 
 variable "software_inventory" {

infrastructure/dogfood/terraform/gcp/variables.tf

@@ -68,5 +68,5 @@ variable "redis_mem" {
 }
 
 variable "image" {
-  default = "fleet:v4.12.1"
+  default = "fleet:v4.13.0"
 }

tools/fleetctl-npm/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fleetctl",
-  "version": "v4.12.1",
+  "version": "v4.13.0",
   "description": "Installer for the fleetctl CLI tool",
   "bin": {
     "fleetctl": "./run.js"