diff --git a/CHANGELOG.md b/CHANGELOG.md index 4aa5eb9832..e3012f7054 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,61 @@ +## Fleet 4.13.0 (Apr 18, 2022) + +### This is a security release. + +* **Security**: Fix several post-authentication authorization issues. Only Fleet Premium users that + have team users are affected. Fleet Free users do not have access to the teams feature and are + unaffected. See the following security advisory for details: https://github.com/fleetdm/fleet/security/advisories/GHSA-pr2g-j78h-84cr + +* Improve performance of software inventory on Windows hosts. + +* Add `basic​_auth.username` and `basic_auth.password` [Prometheus configuration options](https://fleetdm.com/docs/deploying/configuration#prometheus). The `GET +/metrics` API route is now disabled if these configuration options are left unspecified. + +* Fleet Premium: Add ability to specify a team specific "Destination URL" for policy automations. +This allows the user to configure Fleet to send a webhook request to a unique location for +policies that belong to a specific team. Documentation on what data is included the webhook +request and when the webhook request is sent can be found here on [fleedm.com/docs](https://fleetdm.com/docs/using-fleet/automations#vulnerability-automations) + +* Add ability to see the total number of hosts with a specific macOS version (ex. 12.3.1) on the +**Home > macOS** page. This information is also available via the [`GET /os_versions` API route](https://fleetdm.com/docs/using-fleet/rest-api#get-host-os-versions). + +* Add ability to sort live query results in the Fleet UI. + +* Add a "Vulnerabilities" column to **Host details > Software** page. This allows the user see and search for specific vulnerabilities (CVEs) detected on a specific host. + +* Update vulnerability automations to fire anytime a vulnerability (CVE), that is detected on a + host, was published to the + National Vulnerability Database (NVD) in the last 30 days, is detected on a host. In previous + versions of Fleet, vulnerability automations would fire anytime a CVE was published to NVD in the + last 2 days. + +* Update the **Policies** page to ask the user to wait to see accurate passing and failing counts for new and recently edited policies. + +* Improve API-only (integration) users by removing the requirement to reset these users' passwords + before use. Documentation on how to use API-only users can be found here on [fleetdm.com/docs](https://fleetdm.com/docs/using-fleet/fleetctl-cli#using-fleetctl-with-an-api-only-user). + +* Improve the responsiveness of the Fleet UI by adding tablet screen width support for the **Software**, + **Queries**, **Schedule**, **Policies**, **Host details**, **Settings > Teams**, and **Settings > Users** pages. + +* Add Beta support for integrating with Jira to automatically create a Jira issue when a + new vulnerability (CVE) is detected on a host in Fleet. + +* Add Beta support for Fleet Desktop on Windows. Fleet Desktop allows the device user to see +information about their device. To add Fleet Desktop to a Windows device, first add the +`--fleet-desktop` flag to the `fleectl package` command to generate a Fleet-osquery installer that +includes Fleet Desktop. Then, open this installer on the device. + +* Fix a bug in which downloading [Fleet's vulnerability database](https://github.com/fleetdm/nvd) failed if the destination directory specified +was not in the `tmp/` directory. + +* Fix a bug in which the "Updated at" time was not being updated for the "Mobile device management +(MDM) enrollment" and "Munki versions" information on the **Home > macOS** page. + +* Fix a bug in which Fleet would consider Docker network interfaces to be a host's primary IP address. + +* Fix a bug in which tables in the Fleet UI would present misaligned buttons. + +* Fix a bug in which Fleet failed to connect to Redis in standalone mode. ## Fleet 4.12.1 (Apr 4, 2022) * Fix a bug in which a user could not log in with basic authentication. This only affects Fleet deployments that use a [MySQL read replica](https://fleetdm.com/docs/deploying/configuration#my-sql). diff --git a/changes/activities-rbac b/changes/activities-rbac deleted file mode 100644 index d8b80a4efb..0000000000 --- a/changes/activities-rbac +++ /dev/null @@ -1 +0,0 @@ -* Restrict non-global user from access to activities \ No newline at end of file diff --git a/changes/fix-policies-in-standard-query-library b/changes/fix-policies-in-standard-query-library deleted file mode 100644 index 0056ad9f83..0000000000 --- a/changes/fix-policies-in-standard-query-library +++ /dev/null @@ -1 +0,0 @@ -* Fix `platform` field for policies in `docs/01-Using-Fleet/standard-query-library/standard-query-library.yml`. diff --git a/changes/issue-2322-authd-metrics b/changes/issue-2322-authd-metrics deleted file mode 100644 index 06e68b0405..0000000000 --- a/changes/issue-2322-authd-metrics +++ /dev/null @@ -1 +0,0 @@ -* Add HTTP Basic Auth to Fleet's `/metrics` endpoint. (If credentials are not set, the `/metrics` endpoint is disabled.) diff --git a/changes/issue-2603-deprecate-global-in-routes b/changes/issue-2603-deprecate-global-in-routes deleted file mode 100644 index 4263d365c5..0000000000 --- a/changes/issue-2603-deprecate-global-in-routes +++ /dev/null @@ -1 +0,0 @@ -* Introduce new API version (`/api/2022-04/...`, aliased as `/api/latest/...`) to introduce breaking changes that remove `/global` sections from the paths (the deprecated API is still available under `/api/v1/...`) diff --git a/changes/issue-2814-export-hosts-as-csv b/changes/issue-2814-export-hosts-as-csv deleted file mode 100644 index 6ae37db497..0000000000 --- a/changes/issue-2814-export-hosts-as-csv +++ /dev/null @@ -1 +0,0 @@ -* Add ability to export host as CSV from the UI \ No newline at end of file diff --git a/changes/issue-2825-os-versions b/changes/issue-2825-os-versions deleted file mode 100644 index bda2f8a166..0000000000 --- a/changes/issue-2825-os-versions +++ /dev/null @@ -1 +0,0 @@ -* Add os versions endpoint to retrieve host counts by os version diff --git a/changes/issue-2936-ui-includes-jira-integration b/changes/issue-2936-ui-includes-jira-integration deleted file mode 100644 index 8600962840..0000000000 --- a/changes/issue-2936-ui-includes-jira-integration +++ /dev/null @@ -1 +0,0 @@ -* Admin users can set jira integrations and software vulnerabilities to jira in the UI \ No newline at end of file diff --git a/changes/issue-3269-policy-automation-team b/changes/issue-3269-policy-automation-team deleted file mode 100644 index 93a3c40b72..0000000000 --- a/changes/issue-3269-policy-automation-team +++ /dev/null @@ -1 +0,0 @@ -- Added policy automation for teams \ No newline at end of file diff --git a/changes/issue-3300-policies-not-yet-accurate b/changes/issue-3300-policies-not-yet-accurate deleted file mode 100644 index 7678d32552..0000000000 --- a/changes/issue-3300-policies-not-yet-accurate +++ /dev/null @@ -1 +0,0 @@ -* Indicate if a policy has not completed an initial run \ No newline at end of file diff --git a/changes/issue-3502-tables b/changes/issue-3502-tables deleted file mode 100644 index 8bbdbfcf8d..0000000000 --- a/changes/issue-3502-tables +++ /dev/null @@ -1 +0,0 @@ -* Update UI tables with responsive columns to 768px screen width \ No newline at end of file diff --git a/changes/issue-3573-remove-enroll-secrets-from-settings-page b/changes/issue-3573-remove-enroll-secrets-from-settings-page deleted file mode 100644 index a693aee08c..0000000000 --- a/changes/issue-3573-remove-enroll-secrets-from-settings-page +++ /dev/null @@ -1 +0,0 @@ -* Global enroll secrets not viewable on the settings page (viewable and modifable on Manage Hosts page and Team Details page only) \ No newline at end of file diff --git a/changes/issue-4132-software-messaging b/changes/issue-4132-software-messaging deleted file mode 100644 index f0ec4af59a..0000000000 --- a/changes/issue-4132-software-messaging +++ /dev/null @@ -1 +0,0 @@ -* Improve software tables messages for missing software information \ No newline at end of file diff --git a/changes/issue-4214-vulnerabilities-column b/changes/issue-4214-vulnerabilities-column deleted file mode 100644 index 7b94280618..0000000000 --- a/changes/issue-4214-vulnerabilities-column +++ /dev/null @@ -1 +0,0 @@ -* Host details page software table now has search by vulnerabilities and a vulnerabilities column \ No newline at end of file diff --git a/changes/issue-4261-software-query b/changes/issue-4261-software-query deleted file mode 100644 index 84efd7579d..0000000000 --- a/changes/issue-4261-software-query +++ /dev/null @@ -1 +0,0 @@ -* Improve performance of software inventory query on Windows Domain Controllers. diff --git a/changes/issue-4262-macOS-versions b/changes/issue-4262-macOS-versions deleted file mode 100644 index 07a8f8f772..0000000000 --- a/changes/issue-4262-macOS-versions +++ /dev/null @@ -1 +0,0 @@ -* Add macOS versions card to home page \ No newline at end of file diff --git a/changes/issue-4521-test-jira-settings-on-config-save b/changes/issue-4521-test-jira-settings-on-config-save deleted file mode 100644 index bb7aa305a1..0000000000 --- a/changes/issue-4521-test-jira-settings-on-config-save +++ /dev/null @@ -1 +0,0 @@ -* Test the enabled Jira integration settings when saving the configuration. diff --git a/changes/issue-4537-accessibility-through-tabbing b/changes/issue-4537-accessibility-through-tabbing deleted file mode 100644 index 7ae261eb9d..0000000000 --- a/changes/issue-4537-accessibility-through-tabbing +++ /dev/null @@ -1 +0,0 @@ -* Users can tab through the apps clickable elements \ No newline at end of file diff --git a/changes/issue-4540-remove-password-reset-for-api-only-users b/changes/issue-4540-remove-password-reset-for-api-only-users deleted file mode 100644 index 747cdc6bf4..0000000000 --- a/changes/issue-4540-remove-password-reset-for-api-only-users +++ /dev/null @@ -1 +0,0 @@ -* Remove requirement for forced password reset for new API-only users \ No newline at end of file diff --git a/changes/issue-4572-sort-live-queries b/changes/issue-4572-sort-live-queries deleted file mode 100644 index c8304144af..0000000000 --- a/changes/issue-4572-sort-live-queries +++ /dev/null @@ -1 +0,0 @@ -* Users can sort all columns of live queries and live policies in the UI \ No newline at end of file diff --git a/changes/issue-4734-aggregated-stats-update b/changes/issue-4734-aggregated-stats-update deleted file mode 100644 index 65d3ada4e1..0000000000 --- a/changes/issue-4734-aggregated-stats-update +++ /dev/null @@ -1,2 +0,0 @@ -* Fix updated_at in aggregated stats not being updated. Affects counts_updated_at - returned from /api/v1/fleet/macadmins endpoint diff --git a/changes/issue-4754-docker-interface b/changes/issue-4754-docker-interface deleted file mode 100644 index 05314af214..0000000000 --- a/changes/issue-4754-docker-interface +++ /dev/null @@ -1 +0,0 @@ -* Don't consider Docker network interfaces for primary IP on hosts. diff --git a/changes/issue-4792-download-tmp b/changes/issue-4792-download-tmp deleted file mode 100644 index bf718c02b9..0000000000 --- a/changes/issue-4792-download-tmp +++ /dev/null @@ -1 +0,0 @@ -* Fix issue when renaming temporary files to another filesystem diff --git a/changes/issue-4799-fix-table-headers b/changes/issue-4799-fix-table-headers deleted file mode 100644 index f95abad310..0000000000 --- a/changes/issue-4799-fix-table-headers +++ /dev/null @@ -1 +0,0 @@ -* Fix table headers showing or misaligned when selection is active diff --git a/changes/issue-4807-fleet-desktop-windows b/changes/issue-4807-fleet-desktop-windows deleted file mode 100644 index ffb2fd6bc7..0000000000 --- a/changes/issue-4807-fleet-desktop-windows +++ /dev/null @@ -1 +0,0 @@ -* Add beta support for Fleet Desktop on Windows. diff --git a/changes/issue-4846-add-jira-integrations-config b/changes/issue-4846-add-jira-integrations-config deleted file mode 100644 index 92ea41c2c0..0000000000 --- a/changes/issue-4846-add-jira-integrations-config +++ /dev/null @@ -1 +0,0 @@ -* Add new Jira integrations configuration support (_alpha_ feature). diff --git a/changes/issue-4847-queue-jira-ticket-creation-jobs b/changes/issue-4847-queue-jira-ticket-creation-jobs deleted file mode 100644 index 60204aa686..0000000000 --- a/changes/issue-4847-queue-jira-ticket-creation-jobs +++ /dev/null @@ -1 +0,0 @@ -* Queue Jira ticket creation jobs when new vulnerabilities are found and a Jira integration is enabled. diff --git a/changes/issue-4864-enter-submits-form b/changes/issue-4864-enter-submits-form deleted file mode 100644 index 3628a889dc..0000000000 --- a/changes/issue-4864-enter-submits-form +++ /dev/null @@ -1 +0,0 @@ -* Pressing enter submits forms app-wide \ No newline at end of file diff --git a/changes/issue-4879-extend-vuln-period b/changes/issue-4879-extend-vuln-period deleted file mode 100644 index 099fa1d231..0000000000 --- a/changes/issue-4879-extend-vuln-period +++ /dev/null @@ -1 +0,0 @@ -* Extend the maximum age for a vulnerability to be considered recent to 30 days instead of 2. diff --git a/changes/issue-5048-detect-noperm-redis-standalone b/changes/issue-5048-detect-noperm-redis-standalone deleted file mode 100644 index 3823c21b96..0000000000 --- a/changes/issue-5048-detect-noperm-redis-standalone +++ /dev/null @@ -1 +0,0 @@ -* Support Redis in standalone mode when CLUSTER commands are disabled via ACL. diff --git a/changes/issue-GHSA-pr2g-j78h-84cr b/changes/issue-GHSA-pr2g-j78h-84cr deleted file mode 100644 index e66b072a4e..0000000000 --- a/changes/issue-GHSA-pr2g-j78h-84cr +++ /dev/null @@ -1,3 +0,0 @@ -* Fix access control issues with "user" endpoints. -* Fix access control issues with "pack" endpoints. -* Fix access control issues with "software" endpoints. diff --git a/changes/issue-jira-loadtest-add-recent-vuln-max-age b/changes/issue-jira-loadtest-add-recent-vuln-max-age deleted file mode 100644 index 1a3fd179d4..0000000000 --- a/changes/issue-jira-loadtest-add-recent-vuln-max-age +++ /dev/null @@ -1 +0,0 @@ -* Add the `vulnerabilities.recent_vulnerability_max_age` configuration option. diff --git a/charts/fleet/Chart.yaml b/charts/fleet/Chart.yaml index a459d656db..7a906baa75 100644 --- a/charts/fleet/Chart.yaml +++ b/charts/fleet/Chart.yaml @@ -4,8 +4,8 @@ name: fleet keywords: - fleet - osquery -version: v4.12.1 +version: v4.13.0 home: https://github.com/fleetdm/fleet sources: - https://github.com/fleetdm/fleet.git -appVersion: v4.12.1 +appVersion: v4.13.0 diff --git a/charts/fleet/values.yaml b/charts/fleet/values.yaml index 8687949717..2c758a5e58 100644 --- a/charts/fleet/values.yaml +++ b/charts/fleet/values.yaml @@ -2,7 +2,7 @@ # All settings related to how Fleet is deployed in Kubernetes hostName: fleet.localhost replicas: 3 # The number of Fleet instances to deploy -imageTag: v4.12.1 # Version of Fleet to deploy +imageTag: v4.13.0 # Version of Fleet to deploy createIngress: true # Whether or not to automatically create an Ingress ingressAnnotations: {} # Additional annotation to add to the Ingress podAnnotations: {} # Additional annotations to add to the Fleet pod diff --git a/infrastructure/dogfood/terraform/aws/variables.tf b/infrastructure/dogfood/terraform/aws/variables.tf index 370648f16c..2fb8e3b6d6 100644 --- a/infrastructure/dogfood/terraform/aws/variables.tf +++ b/infrastructure/dogfood/terraform/aws/variables.tf @@ -56,7 +56,7 @@ variable "database_name" { variable "fleet_image" { description = "the name of the container image to run" - default = "fleetdm/fleet:v4.12.1" + default = "fleetdm/fleet:v4.13.0" } variable "software_inventory" { diff --git a/infrastructure/dogfood/terraform/gcp/variables.tf b/infrastructure/dogfood/terraform/gcp/variables.tf index 9cba5c0533..8aedb015e4 100644 --- a/infrastructure/dogfood/terraform/gcp/variables.tf +++ b/infrastructure/dogfood/terraform/gcp/variables.tf @@ -68,5 +68,5 @@ variable "redis_mem" { } variable "image" { - default = "fleet:v4.12.1" + default = "fleet:v4.13.0" } diff --git a/tools/fleetctl-npm/package.json b/tools/fleetctl-npm/package.json index b96bd1aae7..7b5d39a159 100644 --- a/tools/fleetctl-npm/package.json +++ b/tools/fleetctl-npm/package.json @@ -1,6 +1,6 @@ { "name": "fleetctl", - "version": "v4.12.1", + "version": "v4.13.0", "description": "Installer for the fleetctl CLI tool", "bin": { "fleetctl": "./run.js"