mirror of
https://github.com/fleetdm/fleet
synced 2026-04-21 13:37:30 +00:00
update main 4.72.1 4.73.0 (#32755)
This commit is contained in:
Luke Heath
GitHub
parent
0721217e5b
commit
7a6f57bc36
57 changed files with 81 additions and 75 deletions
73
CHANGELOG.md
73
CHANGELOG.md
|
|
@ -1,3 +1,76 @@
|
|||
## Fleet 4.73.0 (Sep 8, 2025)
|
||||
|
||||
### Security Engineers
|
||||
- Added new detail query, only executed if TPM PIN enforcement is required, for determining whether a BitLocker PIN is set.
|
||||
- Added host identity certificate renewal support for TPM-backed certificates (Linux-only). When a certificate is within 180 days of expiration, orbit will automatically renew it using proof-of-possession with the existing certificate's private key.
|
||||
- Added new global activity created when a new disk encryption key is escrowed.
|
||||
- Added issuer and issued cells to the host details and my device page certificates table.
|
||||
- Allowed filtering host and team software by minimum and maximum CVSS score in the Fleet UI.
|
||||
- Updated UI to display kernel vulnerabilities in the operating system details page for Linux systems.
|
||||
- Updated macOS 13 CIS policies to align with CIS Benchmark v3.1.0 (from v3.0.0).
|
||||
- Updated macOS 14 CIS policies to align with CIS Benchmark v2.1.0 (from v2.0.0).
|
||||
- Updated macOS 15 CIS policies to align with CIS Benchmark v1.1.0 (from v1.0.0).
|
||||
- Updated Fleet's certificate ingestion to accept non-standard country codes of longer than 2 characters. In addition, updated ingestion of other fields to truncate long values and log an error instead of failing.
|
||||
|
||||
### IT Admins
|
||||
- Added API endpoints for adding, deleting and listing secret variables.
|
||||
- Added ability to add and delete custom variables in the UI.
|
||||
- Added APIendpoints to get and list batch scripts.
|
||||
- Added cron job to launch scheduled batch scripts.
|
||||
- Added API endpoint to cancel scheduled batch script run.
|
||||
- Added the ability to cancel batch script runs directly from the UI summary modal.
|
||||
- Added ability to schedule batch script runs in advance to the "Run scripts" modal.
|
||||
- Added the ability to filter the hosts list to those hosts that were incompatible with the script in a batch run.
|
||||
- Added side navigation on the Controls > Scripts page, with the previous Scripts page content under the "Library" tab and a new "Batch progress" tab containing details about started, scheduled, and finished scripts.
|
||||
- Added batch execution IDs to script run activities.
|
||||
- Added IdP SSO authentication to the BYOD mobile devices enrollment if that option is enabled for the team.
|
||||
- Allowed overriding install/uninstall scripts, and specifying pre-install queries and post-install scripts, for Fleet-maintained apps in GitOps.
|
||||
- Added support of `$FLEET_VAR_HOST_UUID` in Windows MDM configuration profiles.
|
||||
- Added additional logging information for Windows MDM discovery endpoint when errors occur.
|
||||
- Added support for last opened time for Linux software (DEB & RPM packages).
|
||||
- NOTE: Package will need to be updated out-of-band once, because the pre-removal script from previously-generated packages is called upon an upgrade. The old pre-removal script stopped Orbit unconditionally. `fleet-osquery` can safely be updated through the Software page only _after_ a new package generated with this version of fleetctl has been installed through other means.
|
||||
- Added indication of whether software on a host was never opened, vs. being a software type where last opened time collection is not supported.
|
||||
- Added automatic install policies into host software responses.
|
||||
|
||||
|
||||
### Other improvements and bug fixes
|
||||
- Added permissions to OS updates page so that only global admins and the team admin can see the page.
|
||||
- Cleared label membership when label platform changes (via GitOps).
|
||||
- Improved public IP extraction for Fleet Desktop requests.
|
||||
- Marked DDM profiles as failed if response comes back with Unknown Declaration Type error, and improve upload validation for declaration type.
|
||||
- Modified `PUT /api/v1/fleet/spec/secret_variables` endpoint to only accept secret variables with uppercase letters, numbers and underscores.
|
||||
- Updated software inventory so that when multiple version of a software are installed the last used timestamp for each version is properly returned.
|
||||
- Revised stale vulnerabilities deletion (for false positive cleanup) to clear vulnerabilities touched before the current vulnerabilities run, instead of using a hard-coded threshold based on how often the vulns cron runs.
|
||||
- Removed unintended broken sort on Fleet Desktop > Software > type column.
|
||||
- Validated Gitops mode URL on frontend and backend.
|
||||
- Updated to not log an error if EULA is missing for the `/setup_experience/eula/metadata` endpoint.
|
||||
- Loosened validation during GitOps dry runs for software installer install/uninstall scripts that contain Fleet secrets.
|
||||
- Added missing checks for invalid values before trying to store them in DB.
|
||||
- Updated styles for turn on MDM info banner button.
|
||||
- Updated so that DEB and RPM packages generated by `fleetctl package` to now be safe to upgrade in-band through the Software page.
|
||||
- Updated so that individual script executions from batch jobs are now hidden from the global feed.
|
||||
- Updated to attest the signed Windows Orbit binary instead of the unsigned one.
|
||||
- Updated both Fleet desktop and osquery for macOS and Windows artifacts to attest the binaries inside archives.
|
||||
- Made sure that if disk encryption is enabled and a TPM PIN is required, the user is able to set a TPM PIN protector.
|
||||
- Removed `DeferForceAtUserLoginMaxBypassAttempts` from FileVault profile, to use default value of 0 to indicate the FileVault enforcement can not be deferred on next login.
|
||||
- Updated go to 1.24.6.
|
||||
- Fixed cases where the uninstall script population job introduced in Fleet 4.57.0 would attempt to extract package IDs on software that we don't generate uninstall scripts for, causing errors in logs and retries of the job.
|
||||
- Fixed potential panic in error handler when Redis is down.
|
||||
- Fixed a potential race condition issue, where a host might get released because no profiles has been sent for installation before releasing the device, by checking the currently installed profiles against what is expected.
|
||||
- Fixed invalid rate limiting applied on Fleet Desktop requests for which a public IP could not be determined.
|
||||
- Fixed VPP token dropdown to allow user to choose "All teams" selection.
|
||||
- Fixed an issue where Windows configuration profiles fails to validate due to escaping data sequence with `<![CDATA[...]]>` and profile verifier not stripping this away.
|
||||
- Fixed an issue where a host could be stuck with a "Unlock Pending" label even if the unlock script was canceled.
|
||||
- Fixed 5XX errors on `/api/v1/fleet/calendar/webhook/*` endpoint due to missing authorization checks.
|
||||
- Fixed server panic when listing software titles for "All teams" with page that contains a software title with a policy automation in "No team".
|
||||
- Fixed operating system icons from bleeding into software icons.
|
||||
|
||||
## Fleet 4.72.1 (Aug 27, 2025)
|
||||
|
||||
### Bug fixes
|
||||
|
||||
- Fixed a potential race condition issue, where a host might get released because no profiles has been sent for installation before releasing the device, by checking the currently installed profiles against what is expected.
|
||||
|
||||
## Fleet 4.72.0 (Aug 13, 2025)
|
||||
|
||||
### Security Engineers
|
||||
|
|
|
|||
|
|
@ -1,9 +0,0 @@
|
|||
- `fleetctl api` now supports sending data in the body of non-GET requests using the `-F` flag.
|
||||
- For methods other than `GET`, using the syntax `-F field=<path`, the file at "path" will be read and the field will be set to the file's contents.
|
||||
- For methods other than `GET`, using the syntax `-F field=@path`, the file at "path" will be uploaded as a multipart upload.
|
||||
- When no file uploads are present, the body is encoded as a JSON dictionary.
|
||||
- To ensure JSON values can be passed correctly, it is no longer possible to set multiple values for a repeatable flag using a comma (`,`). You must now specify the flag multiple times.
|
||||
- `fleetctl` will attempt to parse values as JSON. If successful, the value will be embedded in the JSON body. For example, `fleetctl api -F field=true endpoint` will encode as `{"field":true}`. To use the literal string "true", write `-F 'field="true"'`.
|
||||
- If the value cannot be parsed as JSON, it is sent as a string.
|
||||
- When `--debug` is specified, the body is written to standard error, unless it contains non-Unicode characters.
|
||||
- To upload a software package, use `fleetctl api -X POST -F software=@/path/to/software.pkg -F team_id=0 -F install_script=... -F uninstall_script=... software/package`
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Allowed overriding install/uninstall scripts, and specifying pre-install queries and post-install scripts, for Fleet-maintained apps in GitOps
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
* Attested the signed Windows Orbit binary instead of the unsigned one.
|
||||
* For both Fleet desktop and Osquery for macOS and Windows artifacts,
|
||||
attested the binaries inside archives.
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Revised stale vulnerabilities deletion (for false positive cleanup) to clear vulnerabilities touched before the current vulnerabilities run, instead of using a hard-coded threshold based on how often the vulns cron runs.
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Add support for last opened time for Linux software (DEB & RPM packages)
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Remove `DeferForceAtUserLoginMaxBypassAttempts` from FileVault profile, to use default value of 0 to indicate the FileVault enforcement can not be deferred on next login.
|
||||
|
|
@ -1 +0,0 @@
|
|||
- Validate Gitops mode URL on frontend and backend
|
||||
|
|
@ -1 +0,0 @@
|
|||
Clear label membership when label platform changes (via GitOps).
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Fixed an issue where windows configuration profiles fails to validate due to escaping data sequence with `<![CDATA[...]]>` and profile verifier not stripping this away.
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Do not log an error if EULA is missing for the `/setup_experience/eula/metadata` endpoint
|
||||
|
|
@ -1 +0,0 @@
|
|||
- Added ability to add and delete custom variables in the UI
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Added automatic install policies into host software responses
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Allowed filtering host and team software by minimum and maximum CVSS score in the Fleet Premium UI
|
||||
|
|
@ -1 +0,0 @@
|
|||
- Fleet UI: Fixed VPP token dropdown to allow user to choose "All teams" selection
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Added new global activity created when a new disk encryption key is escrowed.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Updated Fleet's certificate ingestion to accept non-standard country codes of longer than 2 characters. In addition, updated ingestion of other fields to truncate long values and log an error instead of failing.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Fixed potential panic in error handler when Redis is down.
|
||||
|
|
@ -1 +0,0 @@
|
|||
- Added ability to schedule batch script runs in advance to the "Run scripts" modal
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Fixed cases where the uninstall script population job introduced in Fleet 4.57.0 would attempt to extract package IDs on software that we don't generate uninstall scripts for, causing errors in logs and retries of the job.
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Added IdP SSO authentication to the BYOD mobile devices enrollment if that option is enabled for the team.
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Fleet UI: Removed unintended broken sort on Fleet Desktop > Software > type column
|
||||
|
|
@ -1 +0,0 @@
|
|||
- Fixed operating system icons from accidentally bleeding into software icons
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Mark DDM profiles as failed if response comes back with Unknown Declaration Type error, and improve upload validation for declaration type.
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Loosened validation during gitops dry runs for software installer install/uninstall scripts that contain fleet secrets
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Fixed an issue where a host could be stuck with a "Unlock Pending" label even if the unlock script was canceled.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Added support of $FLEET_VAR_HOST_UUID in Windows MDM configuration profiles.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Fixed 5XX errors on /api/v1/fleet/calendar/webhook/* endpoint due to missing authorization checks.
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
- Added backend APIs for adding, deleting and listing secret variables.
|
||||
- Modified `PUT /api/v1/fleet/spec/secret_variables` endpoint to only accept secret variables with uppercase letters, numbers and underscores.
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
- Updated macOS 15 CIS policies to align with CIS Benchmark v1.1.0 (from v1.0.0).
|
||||
- Updated macOS 14 CIS policies to align with CIS Benchmark v2.1.0 (from v2.0.0).
|
||||
- Updated macOS 13 CIS policies to align with CIS Benchmark v3.1.0 (from v3.0.0).
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Fixes a potential race condition issue, where a host might get released because no profiles has been sent for installation before releasing the device, by checking the currently installed profiles against what is expected.
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Added new detail query, only executed if TPM PIN enforcement is required, for determining whether a BitLocker PIN is set.
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Made sure that if disk encryption is enabled and a TPM PIN is required, the user is able to set a TPM PIN protector.
|
||||
|
|
@ -1 +0,0 @@
|
|||
- Show kernel vulnerabilities in the operating system details page for Linux like systems
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
* Build side navigation on the Controls > Scripts page, with the previous Scripts page content under
|
||||
the "Library" tab and a new "Batch progress" tab containing details about started, scheduled, and
|
||||
finished scripts.
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
- Individual script executions from batch jobs are now hidden from the global feed
|
||||
- Batch execution IDs are now included in script run activities
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Added indication of whether software on a host was never opened, vs. being a software type where last opened time collection is not supported
|
||||
|
|
@ -1 +0,0 @@
|
|||
- Added the ability to filter the hosts list to those hosts that were incompatible with the script in a batch run.
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Added host identity certificate renewal support for TPM-backed certificates (Linux-only). When a certificate is within 180 days of expiration, orbit will automatically renew it using proof-of-possession with the existing certificate's private key.
|
||||
|
|
@ -1 +0,0 @@
|
|||
Added missing checks for invalid values before trying to store them in DB.
|
||||
|
|
@ -1 +0,0 @@
|
|||
- Add cron job to launch scheduled batch scripts
|
||||
|
|
@ -1 +0,0 @@
|
|||
- Added batch script cancel endpoint
|
||||
|
|
@ -1 +0,0 @@
|
|||
- Added the ability to cancel batch script runs directly from the summary modal
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Fixed server panic when listing software titles for "All teams" with page that contains a software title with a policy automation in "No team".
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
* Fixed invalid rate limiting applied on Fleet Desktop requests for which a public IP could not be determined.
|
||||
* Improved public IP extraction for Fleet Desktop requests.
|
||||
|
|
@ -1 +0,0 @@
|
|||
- Added "Get batch script" and "List batch scripts" APIs
|
||||
|
|
@ -1 +0,0 @@
|
|||
Added additional logging information for Windows MDM discovery endpoint when errors occur.
|
||||
|
|
@ -1 +0,0 @@
|
|||
* When multiple version of a software are installed the last used timestamp for each version is properly returned in the host inventory
|
||||
|
|
@ -1 +0,0 @@
|
|||
- add permissions to os updates page so that only global admins and the team admin can see the page
|
||||
|
|
@ -1 +0,0 @@
|
|||
- add issuer and issued cells to the host details and my device page certificates table
|
||||
|
|
@ -1 +0,0 @@
|
|||
- update styles for turn on mdm info banner button
|
||||
|
|
@ -1 +0,0 @@
|
|||
* Updated go to 1.24.6
|
||||
|
|
@ -4,11 +4,11 @@ name: fleet
|
|||
keywords:
|
||||
- fleet
|
||||
- osquery
|
||||
version: v6.6.12
|
||||
version: v6.6.14
|
||||
home: https://github.com/fleetdm/fleet
|
||||
sources:
|
||||
- https://github.com/fleetdm/fleet.git
|
||||
appVersion: v4.72.0
|
||||
appVersion: v4.73.0
|
||||
dependencies:
|
||||
- name: mysql
|
||||
condition: mysql.enabled
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
hostName: fleet.localhost
|
||||
replicas: 3 # The number of Fleet instances to deploy
|
||||
imageRepository: fleetdm/fleet
|
||||
imageTag: v4.72.0 # Version of Fleet to deploy
|
||||
imageTag: v4.73.0 # Version of Fleet to deploy
|
||||
# imagePullSecrets is optional.
|
||||
# imagePullSecrets:
|
||||
# - name: docker
|
||||
|
|
|
|||
|
|
@ -56,7 +56,8 @@ variable "database_name" {
|
|||
|
||||
variable "fleet_image" {
|
||||
description = "the name of the container image to run"
|
||||
default = "fleetdm/fleet:v4.72.0"
|
||||
default = "fleetdm/fleet:v4.73.0"
|
||||
}
|
||||
|
||||
variable "software_inventory" {
|
||||
description = "enable/disable software inventory (default is enabled)"
|
||||
|
|
|
|||
|
|
@ -68,7 +68,7 @@ variable "redis_mem" {
|
|||
}
|
||||
|
||||
variable "image" {
|
||||
default = "fleetdm/fleet:v4.72.0"
|
||||
default = "fleetdm/fleet:v4.73.0"
|
||||
|
||||
variable "software_installers_bucket_name" {
|
||||
default = "fleet-software-installers"
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"name": "fleetctl",
|
||||
"version": "v4.72.0",
|
||||
"version": "v4.73.0",
|
||||
"description": "Installer for the fleetctl CLI tool",
|
||||
"bin": {
|
||||
"fleetctl": "./run.js"
|
||||
|
|
@ -24,4 +24,4 @@
|
|||
"osquery",
|
||||
"security"
|
||||
]
|
||||
}
|
||||
}
|
||||
Loading…
Reference in a new issue